[Start] Checklist: before your first phishing simulation

Use this checklist to prepare your organization for a successful first phishing simulation. It helps you avoid common issues like blocked emails, inaccurate reporting, or sending to the wrong audience.

Access to the admin portal

• Confirm you can sign in to the admin portal with an admin role, see Access to the admin portal
• Confirm your plan has access to the Phishing module.

Users and groups are ready

• Confirm your target users exist in Guardey (via import, SCIM, or manual creation).
• Confirm user email addresses are correct and unique.
• Create or verify the groups you want to target (for example, All users, Finance, or Management).

ℹ️ Group targeting is the easiest way to control scope and avoid sending tests to the wrong audience.

Whitelisting is in place

• Identify your email platform (for example, Microsoft 365 or Google Workspace) and check your firewall policies.
• Complete the correct whitelisting guide for your platform before sending your first campaign.
• Confirm your mail security tooling will not rewrite links or scan emails in a way that creates false events.

Next step

• [Deliverability] Whitelisting overview: what to whitelist for email delivery
• [Deliverability] Whitelisting Microsoft 365
• [Deliverability] Whitelisting Google Workspace

ℹ️ Without whitelisting, emails can land in quarantine or be scanned automatically. This can cause unexpected “opens” or “clicks” in reporting.

Templates are selected and reviewed

• Choose the template(s) you want to use for your simulation.
• Confirm the template matches your goal (baseline test, awareness reminder, or targeted scenario).
• Confirm the template language behavior fits your audience.
• Preview the template content and links before you launch.

Next step

• [Template] Choose templates: best practices
• [Template] Customize templates

Choose the right campaign type

Pick one of these options based on your goal:

One-time phishing campaign

Choose this if you want to send one email to each selected user.

Next step

• [Campaign] Set up a one-time phishing campaign

Randomized phishing campaign

Choose this if you want Guardey to send emails at random times within a defined window.

Next step

• [Campaign] Set up a randomized phishing campaigns

Custom spear phishing simulation request

Choose this if you need a custom, high-impact simulation created by Guardey.

Next step

• [Campaign] Request a custom spear phishing simulation

Scheduling is configured

• Confirm your preferred date or time.
• For randomized campaigns, confirm the sending window is long enough to reduce predictability.

ℹ️ As a best practice, spread emails over multiple business days to reduce “word-of-mouth” warnings and improve realism.

Run a controlled first test

• Start with a test to yourself or your team (for example, your internal project team or a test group).
• Send your first simulation to confirm deliverability and correct reporting behavior.
• Set up the campagin to the target audience after the test behaves as expected.

Validate results after sending

• Open the campaign in the phishing module of the admin portal.
• Confirm emails were delivered to the expected users.
• Review the first user interaction events (open, click, report, ignore).
• If you see unexpected events, check your mail security scanning and whitelisting setup.

Next step

• [Reporting] Phishing reporting explained: email sent, opened, link clicked, submitted data
• [Troubleshooting] Why do I see clicks when nobody clicked?