Skip to content

Sending domains and IPs

Sophos Phish Threat sends campaign emails using a set of domains and IP addresses.

To see the list of these domains and IP addresses, go to My Products > Phish Threat > Settings > Sending domains and IPs.

If you're a Sophos Mailflow user, you should also refer to the list of IP addresses used for Sophos Mailflow. See Sophos Mailflow IP addresses.

You must allow email and web traffic to and from these domains and IP addresses through your email gateway, web proxy, firewall appliance, and anywhere else in your environment where email and web filtering is done. If you don't do this, Sophos Phish Threat can't work properly.

Microsoft 365 users can still have issues with Phish Threat emails not being delivered. Adding Phish Threat addresses to your Microsoft 365 admin center can help prevent these issues. For more information about resolving these issues, see Set up Phish Threat for M365 environments.

You can also find out how Microsoft Defender for Office 365 Safe Link and Safe Attachments interact with Sophos Phish Threat. This feature was formerly called Office 365 Advanced Threat Protection (ATP).

You can also find out about working with other third-party email security products.

Microsoft Defender for Office 365 exclusions

If you use Microsoft Defender for Office 365 you must set up exceptions for Sophos Phish Threat IP addresses and domain names in the allow list. If you don't do this, Sophos Phish Threat can't work properly.

Defender for Office 365 offers security features such as Safe Links and Safe Attachments. For more information, see Increase threat protection for Microsoft 365 for business.

Safe Links helps protect the organization by providing time-of-click verification of web addresses (URLs) in email messages and Office documents. Safe Attachments checks to see if email attachments are malicious, and then takes action.

If Sophos Phish Threat IP addresses and domain names aren't included in the allow list, Microsoft 365 (formerly Office 365) executes the links. This makes it seem like an end user has clicked on the links. To ensure the proper execution of Sophos Phish Threat with Microsoft 365, you must set up exceptions for the Sophos Phish Threat IP addresses and domains for both Safe Links and Safe Attachments in Microsoft 365.

For instructions on how to set up these exceptions, see IP addresses and domains.

Other third-party email scanning products and Sophos Phish Threat

Other third-party email security products may apply their own scanning techniques that open links and attachments in emails as they are processed. If this is the case you may receive reports indicating that your users have clicked links.

You must add the Sophos Phish Threat IPs and domains to allow lists within the third-party product.

To see the list, go to My Products > Phish Threat > Settings > Sending domains and IPs.

We are aware that some third-party solutions do not allow their security features to be bypassed in this way. We are actively investigating ways to prevent false positive campaign results caused by third-party security products. We hope to include these in Sophos Phish Threat in the near future.