KnowBe4

How to set up DMARC for KnowBe4 in Valimail

Updated over a week ago
SPF(supported) / (dedicated subdomain)
DKIM(recommended)

KnowBe4 is a training and compliance service. They typically will send spoofing emails as your domain to your employees to test to see who opens the message(s) and to provide metrics on this. They then offer follow-up training as needed for your employees.

In order to prevent these training emails from going to the recipient's Spam or Junk folder, you will need to set up SPF and DKIM authentication for KnowBe4. The steps below require access to the KnowBe4 Account Settings page, so make sure that you have an account with proper access.

FYI: On the KnowBe4 help page they will instruct you to add their "include" statement to your SPF record. That is not needed when you use Valimail since we have automation in place that already takes care of that by using our SPF Macro:

Configuring DKIM authentication for your KnowBe4 emails

The steps below outline the process involved in creating a custom DKIM signature for your domain, which will sign the emails send by KnowBe4 on your behalf. DKIM is configured separately for the Phishing, Training and PhishER emails.

Enabling DKIM Signatures for Phishing Emails

By default, all KnowBe4 training emails contain a DKIM signature but phishing emails require the account owner to enable this feature first. See below for steps on how to enable DKIM signatures for phishing emails.

1. Log in to your KnowBe4 account.

2. Click on your email in the upper-right corner and click Account Settings.

3. Under the Phishing Settings section, click the checkbox labeled Enable DKIM signature.

a screenshot of a email signature

4. Click Save Changes.

All KnowBe4 phishing emails will now contain KnowBe4’s signing domain and can be used to verify if a phishing email is from KnowBe4 or a real phishing attack. See the section below for information on how to customize the signing domain for phishing and training emails.

Using Custom DKIM Signatures in KnowBe4 Phishing Emails

After enabling DKIM signatures, your organization can adjust the signing domain for your organization’s needs. See the instructions below to use your own signing domain for phishing emails.

1. Log in to your KnowBe4 account.

2. Click on your email in the top-right corner and click Account Settings.

3. Under the Phishing Settings section, click the checkbox labeled Enable DKIM signature if you haven’t enabled DKIM signatures already.

4. Click the button labeled Use your own signing domain.

a screenshot of a computer

5. Choose the domain you wish to use. To add a domain to this drop-down, you will first need to add the domain as an Allowed Domain in your KnowBe4 account. For more information on this topic, please see How to Add and Verify Allowed Domains.

a screenshot of a computer

6. Click Create a DKIM selector for this domain.

a screenshot of a computer

7. Copy the host name and values provided in the pop-up.

a screenshot of a computer

8. Add the DKIM key in Valimail.

9. Once you’ve added the DKIM TXT record in Valimail, click on the Validate the DNS TXT record for this DKIM selector button to make sure the validation of the published record is done.

10. Click OK in the DKIM Selectors Details window in your KMSAT console.

11. Click Save Changes at the bottom of your Account Settings.

Using Custom DKIM Signatures in KnowBe4 Training Emails

You can also use custom DKIM signatures for your training emails. See the instructions below to use your own signing domain in training emails.

1. Log in to your KnowBe4 account.

2. Click on your email in the upper-right corner and click Account Settings.

3. Under the Training Settings section, click the checkbox labeled Enable Custom DKIM Signature if you haven’t enabled DKIM signatures already.

a screenshot of a email signature

4. Repeat all the next steps from the Using Custom DKIM Signatures in KnowBe4 Phishing Emails section presented above.

You can also find the instructions for how to set up DKIM for KnowBe4 Phishing and Training here.

Enabling and Customizing DKIM Signatures in PhishER

PhishER notifications contain a line of text called a DKIM signature that proves it is an authentic KnowBe4 or custom email. This guide will show you how to enable DKIM signatures for PhishER from KnowBe4 and how to use an allowed domain as a custom DKIM signature.

To enable your DKIM Signatures in PhishER, follow the steps below:

1. Open the PhishER platform and then navigate to the Settings page.

2. Go to Email Server.

3. Customize the Email Server settings and enable the DKIM Signature toggle. When you enable the toggle, you will see the Signing Domain(s) and the Selector from your KMSAT Account Settings page.

4. Click Save.

Using Custom DKIM Signatures in PhishER

After enabling DKIM signatures, your organization can adjust the signing domain for your organization’s needs.

1. Log in to your KnowBe4 account and navigate to PhishER.

2. Click on the Settings icon and go to Email Server page.

3. Under the Configure DKIM section, click the button labeled Add Custom Signing Domain.

4. Choose the domain you wish to use. To add a domain to this drop-down menu, you will first need to add the domain as an Allowed Domain in your KnowBe4 account. See their How to Add and Verify Allowed Domains article for more information.

5. Click Add and the Configure Custom Signing Domain window will open.

6. Copy the host name and values provided in the pop-up.

7. Navigate to your DNS provider and add a TXT record containing the copied information.

NOTE: If you manage you domain in Valimail, you will need to add the DKIM key/s on your domain's configuration page in the Valimail platform.

8. Once you’ve created the TXT record in your DNS provider, select the domains that you want to use the new DKIM record.

9. Click Save.

You can also find the instrucxtions on how to set up DKIM in KnowBe4 PhishER, here.

Add a KnowBe4 DKIM key in Valimail

You can find more detailed information on how to add a DKIM key in Valimail, here:

Configuring SPF authentication for your KnowBe4 emails

Once you establish that KnowBe4 is an authorized sender for your domain, you will need to add the service in your Enabled Senders.

You will find more detailed information on how to add a service for your domain in Valimail, here:

Note: We encourage you to use the comment section for any useful information about your sending service, such as the name of the service owner, change request ticket numbers, etc.

Enable SPF alignment in KnowBe4 for your domain

This section explains what steps you need to follow in order to configure SPF alignment for the emails sent by KnowBe4 on behalf of your domain.

Align the Return-Path domain on your Phishing Emails

1. Log in to your KnowBe4 admin account.

2. Click your email address on the top-right of the screen, then click Account Settings.

3. Navigate to the Phishing Settings section.

4. Under the Phishing Email Headers subsection, click the checkbox next to Overwrite Fixed Return-path Address with Sender Address.

a screen shot of a email

5. Save your settings by clicking Save Changes at the bottom of the page.

Align the Return-Path domain on your Training Emails.

1. Log in to your KnowBe4 admin account.

2. Click your email address on the top-right of the screen, then click Account Settings.

3. Navigate to the Training Settings section.

4. Under the Training Email Headers subsection, click the checkbox next to Overwrite Fixed Return-path Address with Sender Address.

a screenshot of a computer

5. Save your settings by clicking Save Changes at the bottom of the page.

Note: If you have a free KnowBe4 account, you will need to contact their support and ask them to make these changes for your account.

Did this answer your question?