When integrating PhishProtection into any environment, you have three basic requirements. 


  1. Firewall or Email Server

    1. Configure the delivery IP’s in your allowlist or enhanced connector so that email that comes from the PP email gateway is not automatically considered as spam and that DKIM and SPF are not broken. 

  2. DNS 

    1. Create a time of click cname pointing to urlf.phishprotection.com

    2. Updating MX record

  3. Phish Protection Portal

    1. Configuring Users

    2. Configuring Company Options

    3. Configuring Visual Indicators of problems or threats


Once these basic steps are completed, the PP system is connected to your email server and is ready to filter inbound emails and detect threats. 


Each email server is going to have a different method for allow listing the gateway IPs and exporting or connecting users to the PP portal. This is the most time-consuming step, as adding the IPs to the allow list will require cutting and pasting.


These steps cover both the basics and advanced configuration options for Office 365 with instructions from Jan 2023. 


Most of the advanced configuration options are inspired by 

https://www.undocumented-features.com/2019/08/13/exchange-online-protection-eop-best-practices-and-recommendations/ the author works for Microsoft as a Senior content writer and specializes in Office 365 administration. 


How It Works

The following diagrams illustrate, from an overview perspective, how the PhishProtection service integrates with your existing email provider to protect against phishing attacks.

Without Phish Protection



  • Email is sent to the user from good (1) and bad (2) actors. 

  • Email is delivered to the user's email provider (3). 

  • While the email may be filtered for viruses / spam (by email provider), the user may follow any links in the email, which may redirect them to a malicious (phishing) website.

With Phish Protection


  • Email is sent to the user from good (1) and bad (2) actors. 

  • Email is delivered to Phish Protection (3). Email is filtered for spam/known phishing, and headers indicating the likelihood of phishing are added to the email. Links are rewritten to the "Time of Click" filter domain. The email is then forwarded to the email provider (4). 

  • The email provider may be configured to auto-spam / filter emails based on the additional headers. 

  • When the user clicks links in the email, they are directed to the "Time of Click" filter. If the rewritten URL is safe, the user is transparently redirected to the original link (6).

  • If the URL is unsafe, the user is alerted and prevented (7) from visiting the malicious site.