Configuring Sending Profiles and SMTP in GoPhish Cloud
Last updated April 8, 2026
Sending profiles define how GoPhish delivers phishing simulation emails. This guide covers SMTP setup, common providers, and troubleshooting delivery issues.
What Is a Sending Profile?
A sending profile is GoPhish’s connection to an SMTP server. Each campaign uses one sending profile to send emails. You can create multiple profiles for different scenarios (e.g., internal relay vs. external provider).
Creating a Sending Profile
- Navigate to Sending Profiles in the left sidebar.
- Click New Profile.
- Complete the fields:
| Field | Description | Example |
|---|---|---|
| Name | Label for this profile | “Office 365 Relay” |
| From | Sender email address | it-helpdesk@yourdomain.com |
| Host | SMTP server and port | smtp.office365.com:587 |
| Username | SMTP auth username | service-account@yourdomain.com |
| Password | SMTP auth password | (your password) |
| Ignore Certificate Errors | Skip TLS verification | Usually leave unchecked |
- Add any custom Email Headers if needed (e.g.,
X-Mailer). - Click Send Test Email to validate.
- Click Save Profile.
Common SMTP Providers
Microsoft 365 / Office 365
- Host:
smtp.office365.com:587 - Auth: Username + password (SMTP AUTH must be enabled for the account)
- Notes: Enable SMTP AUTH in the Microsoft 365 admin center under the user’s mail settings. If your tenant uses Security Defaults, you may need to exclude the service account or use an App Password.
Google Workspace
- Host:
smtp.gmail.com:587 - Auth: Username + App Password (not your regular password)
- Notes: Enable 2FA on the account, then generate an App Password at myaccount.google.com. Less Secure Apps is deprecated — always use App Passwords.
Amazon SES
- Host:
email-smtp.<region>.amazonaws.com:587 - Auth: SMTP credentials generated in the SES console (not IAM credentials)
- Notes: Verify your sending domain and request production access to remove the sandbox sending limit.
Custom / On-Premises SMTP
- Host: Your relay server address and port (typically 25, 465, or 587)
- Auth: As configured on your server
- Notes: Ensure the VM’s IP is allowed to relay. Check that your firewall permits outbound traffic on the SMTP port.
Improving Email Deliverability
Poor deliverability means your simulation emails land in spam or get blocked entirely, reducing the effectiveness of your training program.
SPF Record
Add the sending server’s IP to your domain’s SPF record:
v=spf1 include:spf.protection.outlook.com ip4:<VM_IP> ~all
DKIM Signing
If your SMTP provider supports DKIM, enable it. For Office 365 and Google Workspace, DKIM is configured in the admin console.
DMARC Policy
Ensure your domain’s DMARC policy allows the sending source. Start with a p=none policy while testing.
Envelope Sender
The From address in your sending profile should match a real domain you control with proper SPF/DKIM/DMARC records.
Troubleshooting
“Connection refused” or timeout Outbound SMTP ports may be blocked. Azure blocks port 25 by default. Use port 587 (STARTTLS) instead.
“Authentication failed” Double-check credentials. For Office 365, ensure SMTP AUTH is enabled. For Gmail, use an App Password.
“Certificate error” If your internal SMTP server uses a self-signed certificate, enable Ignore Certificate Errors in the sending profile. Do not use this with external providers.
Emails going to spam Review SPF, DKIM, and DMARC configuration. Avoid spam trigger words in subject lines during testing. Start with a small batch to warm up the sending reputation.
Still need help? Open a ticket at support.hailbytes.com.