Skip to content

Getting started with PhishDeck

Quickly get started with phishing simulation using PhishDeck.

PhishDeck as a platform aims to provide the most valuable phishing simulation campaigns that it can with the least amount of configuration required by the user to achieve their goals. With that in mind, the following is a short Quickstart Guide that can help you get on your feet quickly.

1. Allowing PhishDeck to Send Emails

While PhishDeck emulates a real phishing attack, it is ensured that this is conducted with traceability and governance in mind. To such an extent, unlike real attackers using illegal botnets or other illicit methods of sending large volumes of phishing emails, all of PhishDeck’s phishing simulation emails originate from a single IP. This is done not only to be easy to allow (some mail filters only allow IP allow listing), but it’s also to ensure that it’s quick and easy to distinguish phishing simulation emails from real ones in the event of an investigation.

Naturally, IPs which only send phishing simulation emails are bound to be blocked, and to such an extent, we strongly suggest explicitly allowing PhishDeck’s IP addresses to avoid issues with your phishing simulation Campaigns – this process only needs to be set-up once.

For information on how to add PhishDeck to your provider’s allow list, refer to the following documentation.

2. Domain Verification

PhishDeck is a phishing simulation platform, and as such, we take great care and responsibility as to who we engage phishing simulations with. Before you can start sending out phishing emails to a given domain, we will need to verify that you are authorized to do so.

Upcoming – Soon, you will be able to send out phishing simulation emails to the email address you signed up with, without the need to go through verification.

To verify a Domain, navigate to your Account settings (🅐), then click on the “Add Domain” button (🅑).

Screenshot of PhishDeck domain verification

Heads up – If you encounter any difficulties while setting up your domain, fret not, please reach out to us on

When adding a Domain, you are provided with two options on how to verify ownership and authorization explained below.

Email Domain Verification

Email domain verification is a quick method of verifying your domain. It involves receiving an email with a magic link that can only be sent to a predefined administrative email address of your choice that PhishDeck allows. Once you follow the confirmation link via email, your domain will be verified for 1 year.

Heads up – If you don’t see your organization’s admin email address here, let us know!

Screenshot of PhishDeck domain verification via email

DNS Domain Verification

DNS domain verification involves adding a TXT record to your domain that does not expire and will remain valid as long as the TXT record on your domain is present. This is the more ideal option as it only needs to be setup once per domain.

Please note that in some cases, DNS may take up to 48 hours to propagate.

Create Targets and Lists

With your Domain verified, you may now begin adding your Targets into PhishDeck and logically grouping them into Lists.

To manage your Targets and Lists, you may head to the Targets and Lists menu respectively. If you have neither setup yet, you will be asked to create a new Target.

Screenshot of an empty Targets screen in PhishDeck

Note – You can also add all of your Targets using the simple Bulk Upload feature. For more information on how to use the Bulk Upload feature, please refer to the Bulk Upload documentation.

After clicking “New” or “Create Target”, you will be able to input the details of your first Target. If you already have a List set up, you can immediately allocate the Target to that List as well.

Screenshot of Target creation in PhishDeck

Similarly, setting up a List can be achieved by navigating to the Lists menu, clicking on “New” and inputting the details. In this example, we will immediately add the Target, “John Doe” to that List upon creation.

Screenshot of List creation in PhishDeck

  1. Create a Campaign With our Domain(s) set up, as well as our Targets and Lists, we may now create our first phishing campaign using PhishDeck.

Navigate to the “Campaigns” menu and click “New” to begin setting the Campaign up. Start by adding a Title and Description for your Campaign.

Screenshot of the new Campaign screen in PhishDeck

We can then click “Next” to proceed to the next step, allocating Targets and Lists. In this step, we can add our newly created List, so that in the future, should we add more Targets, it will automatically reflect in that List.

Heads up - When adding multiple Lists and Targets, PhishDeck will automatically deduplicate the final list of Targets to avoid sending multiple emails to a single Target in a Campaign.

Screenshot of List and Target selection in the new Campaign screen in PhishDeck

We can now click “Next” to pick our Phishing Template of choice. All phishing templates are pre-configured for you and designed to mimic effective engaging phishing emails. Click on the phishing template of choice and then click “Next”.

Screenshot of Template selection in the new Campaign screen in PhishDeck

Which brings us to the last step of setting up our first phishing Campaign, the campaign’s schedule. Given that this is a quickstart guide, we can simply set the Campaign to, “Start now” and click on “Submit”.

Heads up – Submitting a Campaign places it in a submission queue. PhishDeck will process your Campaign within one minute of your scheduled time.

Screenshot of Scheduling in the new Campaign screen in PhishDeck

4. Next Steps, Results & Reports

After setting up more advanced Campaigns in PhishDeck, you can view your Campaign results with high-level trends, as well as granular per-Target event timelines.

Screenshot of Campaign results in PhishDeck

You can also export your results as a report, by clicking on the “Download Report” button and selecting the export format of choice (i.e. HTML, CSV).