This article provides high-level guidance for troubleshooting issues with PhishSim emails that were sent but are not showing up in learners’ inboxes. To know how to solve the issue, we’ll first need to determine where it got stuck and why. We’ll start from when Infosec IQ sends an email and work our way through each step until delivery.
1. Was the email sent?
The first thing to do is determine whether the email was actually scheduled to be sent to the learner, and whether that email actually left Infosec mail servers. To do this, open the campaign you expected the email to send from by following these steps:
- Navigate to PhishSim > PhishSim campaigns.
- Click the “three dots” menu at the end of the row, and select Details.
- Click the graph button at the end of the row of the impacted campaign run (there may only be one run.)
Here we can see the status of emails that were scheduled in the campaign run. Normally an email will go Scheduling > Scheduled > Sent > Delivered, and some of these statuses are so brief that you won’t see them normally. If an email remains at something other than Delivered for a long time then the email may not have sent.
Here are some of the statuses and what they might mean for a missing email:
- Scheduling emails for the phishing simulation - check back soon!* When this message is present and no learners are shown in the list, it can mean one of two things. First, this message is displayed immediately after a campaign is scheduled, and will remain there while the campaign is initializing. If this message is still present more than 10 minutes after the campaign is scheduled to start, it may mean that every learner scheduled the campaign is in a bounced status. This message will remain until the problem is resolved. For more information about bounced learners, see Bounced Emails.
- Scheduled When the email status is Scheduled, it means that the message is in the queue to be sent. In a running campaign emails will transition into and out of Scheduled status as messages are sent. If a message for one learner remains in Scheduled status for a long time or beyond the end of the campaign run, it could mean that the individual learner is in a bounced status. For more information about bounced learners, see Bounced Emails.
- Bounced This status means that IQ attempted to send an email to the learner and received a permanent failure response from the recipient mail server. When a learner is in a bounced status, IQ will not send any more emails to them until the bounced status is cleared. For more information about bounced learners, see Bounced Emails. Note that mail security services may also reply with a permanent failure response.
- Sent / Delivered When the email status is Sent, it means that the message was sent to the recipient mail server and a delivery notification was not received in return. When the email status is Delivered, it means that the message was sent to the recipient mail server, and a delivery notification was received. In either case, it probably means that the email ended up at the recipient mail server. A mail server will almost always respond if a message is rejected, but it won’t always respond if it does receive the message. If emails sent to some learners show Sent long after others have been delivered, that can be a sign that the emails were quarantined or intercepted by a mail security service.
- Opened / Phished / Replied / Entered Data These are all “phished” statuses and indicate that other actions were taken on the email after it was delivered. the email was likely delivered successfully and a user (or mail server) has interacted with it in some way. If a large number of users are in a Phished status, or your phish rate suddenly becomes high it can be indicative of allowlisting issues.
Note: For each of the following, it’s best to have a specific email message to track down. Before continuing, you’ll want to know who the intended recipient was, a rough idea of when the email was sent, and which of the Infosec domains it was sent from. If you don’t have anything specific to track down, try sending yourself a test campaign to reproduce the issue.
2. Did the Email get stuck in a third party mail filter?
This section only applies if you have a third party mail filter that isn’t part of your mail server, such as ProofPoint or Mimecast. If you aren’t sure if this applies to you, check with whomever manages your mail infrastructure. You’ll likely need to work with them in this step.
Unfortunately each mail filter will have its own features and interface, but they should all ultimately have some type of log of mail flowing through the service. Using the sending address, receiving user, and timestamp of the missing email, search for the missing email.
If the message is quarantined flagged as spam, you’ll want to double check you’ve completed the allowlisting instructions for the mail filter, here. If allowlisting is configured according to the instructions or if your mail filter isn’t listed, you can either open a support ticket with your mail filtering service or open a ticket with Infosec IQ support by clicking on the question mark icon in the bottom right corner of any page in IQ.
3. Did the email get caught in your mail server?
If the email did send, didn’t bounce, and didn’t get stuck in your third party mail filter (if applicable), then it may have gotten caught in your mail server or in the service that hosts your mail. This step is similar to last one – you’ll want to search for the email in your mail server logs. If the message made it here, and was sent recently, it will show up in your mail server logs.
Office 365 Message trace in the Microsoft 365 Defender portal
Google Workspace Find messages with Email Log Search
If the logs indicates that the message is quarantined or flagged as spam, you’ll want to double check you’ve completed the allowlisting instructions for your mail server here. If allowlisting is configured according to the instructions or if your mail hosting service isn’t listed, you can either open a support ticket with your whomever hosts your mail services or open a ticket with Infosec IQ support by clicking on the question mark icon in the bottom right corner of any page in IQ.
4. The email made it to my mail server without being quarantined or flagged, but it’s not in my inbox.
It’s rare to see email make it all the way to the recipient mail server without being flagged and still not show up in the user’s inbox, but there are some things to look for in this case.
First, if this is only affecting one user, it’s possible some custom mail filtering rules have been set up wherever the user checks their email. Check some of the user’s other folders, including spam, to see if the message was somehow redirected on the machine side. You can also check their rules directly to see if there’s anything that would apply to our mail.
Second, there are a few mail security services out there that will retrieve emails from user inboxes after they’ve made it to the user inbox, using that service’s API. Sometimes it’s even quick enough that you don’t even see it flow into the inbox. If you suspect that’s what’s happening, this will most often require a support ticket to be opened with your third party mail filter; but you can still open up a ticket with Infosec IQ’s support team and we may be able to offer some guidance.