KnowBe4 is a training and compliance service. They typically will send spoofing emails as your domain to your employees to test to see who opens the message(s) and to provide metrics on this. They then offer follow-up training as needed for your employees.


In order to prevent these training emails from going to the recipient's Spam or Junk folder, you will need to set up SPF and DKIM authentication for KnowBe4. The steps below require access to the KnowBe4 Account Settings page, so make sure that you have an account with proper access. 


Configuring SPF alignment


This section explains what steps you need to follow in order to configure SPF alignment for the emails sent by KnowBe4 on behalf of your domain.


  • Align the Return-Path domain on your Phishing Tests
  1. Log in to your KnowBe4 admin account.
  2. Click your email address on the top-right of the screen, then click Account Settings.
  3. Navigate to the Phishing Settings section.
  4. Under the Phishing Email Headers subsection, click the checkbox next to Overwrite Fixed Return-path Address with Sender Address.
  5. Save your settings by clicking Save Changes at the bottom of the page.



  • Align the Return-Path domain on your Training Emails. 
  1. Log in to your KnowBe4 admin account.
  2. Click your email address on the top-right of the screen, then click Account Settings.
  3. Navigate to the Training Settings section.
  4. Under the Training Email Headers subsection, click the checkbox next to Overwrite Fixed Return-path Address with Sender Address.
  5. Save your settings by clicking Save Changes at the bottom of the page.


Note: If you have a free KnowBe4 account, you will need to contact their support and ask them to make these changes for your account.



Configure DKIM signing


Follow the steps from this article in order to create a custom DKIM signature for your domain, which will sign the emails send by KnowBe4 on your behalf. DKIM is configured separately for the Phishing and Training emails. 


In case you manage your DKIM keys in the Valimail platform, you will need to follow the steps here in order to publish the DKIM keys. If your DKIM keys are not managed in Valimail, then you will need to publish them in your DNS Host. 


After the DKIM keys have been published, the last step is to go back to the KnowBe4 console and click on the Validate the DNS TXT record for this DKIM selector button, then Save Changes at the bottom of your Account Settings page.