✅ SPF
✅ DKIM
SPF Setup for KnowBe4
SPF (Sender Policy Framework) is used to specify which mail servers are allowed to send email on behalf of your domain. To authorize KnowBe4's sending IPs, you need to include them in your domain’s SPF record.
Step-by-Step Instructions:
- Access Your DNS Settings
Log in to your DNS provider (such as GoDaddy, Cloudflare, etc.). - Locate Your SPF Record
Look for an existing TXT record for your domain with a value starting with v=spf1.
- If you already have an SPF record, add KnowBe4’s include:
include:_spf.knowbe4.com
Example: v=spf1 include:_spf.google.com include:_spf.knowbe4.com ~all
- If you don’t have an SPF record yet, create a new TXT record:
- Name/Host: @ (or leave blank depending on your provider)
- Type: TXT
- Value: v=spf1 include:_spf.knowbe4.com ~all
- Name/Host: @ (or leave blank depending on your provider)
- Save Your Changes
Once saved, DNS changes may take up to 48 hours to propagate.
⚠️ Important:
- You should only have one SPF record per domain.
- Never create multiple SPF records; instead, combine includes into a single record.
SPF alignment:
DMARC requires domain alignment. For SPF to pass the alignment, the Return-Path domain (envelope sender) must match the From: domain. Apart from adding “ include:_spf.knowbe4.com” in the SP record there are some addtional steps that you need to take to achieve SPF alignment.
By default, KnowBe4 uses its own domain in the Return-Path (e.g., bounce.knowbe4.com), which breaks SPF alignment.
To fix this, KnowBe4 allows you to customize the Return-Path to your domain.
Step-by-Step: How to Change the Return-Path in KnowBe4
Phishing Emails
⚠️ Note: Do not use this if you're relying on Microsoft 365’s Advanced Delivery Policies, as it may interfere with them.
- Log in to your KnowBe4 admin account.
- Click your email address in the top-right corner, then select Account Settings.
- Scroll down to the Phishing Settings section.
- In the Phishing Email Headers subsection:
- Check the box next to:
“Overwrite Fixed Return-path Address with Sender Address”
- Scroll down and click Save Changes.
Training Emails
- Log in to your KnowBe4 admin account.
- Click your email address in the top-right corner, then select Account Settings.
- Scroll down to the Training Settings section.
- In the Training Email Headers subsection:
- Check the boxes next to:
"Enable Content Surveys for All New Training Campaigns"
“Overwrite Fixed Return-path Address with Sender Address”
DKIM Setup for KnowBe4
DKIM (DomainKeys Identified Mail) allows you to authorize KnowBe4 to send signed emails on behalf of your domain, which improves deliverability and supports DMARC compliance.
Step-by-Step: Enable DKIM for Your Domain in KnowBe4
- Log in to your KnowBe4 admin console.
- Click your email address in the top-right corner and select Account Settings.
- Scroll to the Phishing Settings section.
- Click the link for Enable DKIM Signature.
- Click Use Your Own Signing Domain.
- Choose the domain you want to use. To add a domain to this drop-down menu, you will first need to add an allowed domain in your KnowBe4 account.
⚠️ Important: If your KnowBe4 account includes multiple domains, ensure that you select the primary domain for DKIM setup. Only the primary domain can pass the DKIM check, emails sent from the other domains will not pass DKIM validation.
7. Click Create a DKIM Selector for This Domain.
8. KnowBe4 will generate one DNS TXT DKIM record:
9. Add the TXT record to your domain’s DNS like in the screenshot below:
⚠️ Note: To confirm that your DNS provider has recognized the TXT record, click the "Validate the DNS TXT record for this DKIM selector" button.
10. Once validated click OK in the DKIM Selectors Details window in your KSAT console.
11. Click Save Changes at the bottom of your Account Settings page.
⚠️ Note: If you're sending both Phishing and Training emails, you need to configure SPF and DKIM separately for each type. The setup process is the same for both.