General questions

Answers to the questions in this section are helpful but not required for initial onboarding.

  • What email service do you use?

  • What email gateway do you use?

  • How many email submissions are you getting on average a day? How many on average a day are confirmed malicious?

  • What actions do you take today on confirmed phishing emails? For example, delete all sent emails globally, block sender, block malicious urls, hashes, and so on. What vendor tools do you use to take each of these actions?

  • Where are your email trace logs stored and are they accessible to Expel?

Sending/receiving emails

  • What is the email domain(s) we should expect to see phishing submissions coming from?

  • Do you need to create allow lists or establish trust anywhere in your environment for forwarded phishing email communications? If yes, the following are the involved addresses:

    • Outbound: Custom forwarding email (provided by Expel): <companyidentifier>

    • Inbound: Acknowledgement and outcome response emails from Expel:

Phishing Submission Buttons

  • Expel has add-on buttons for Google Workspace and Microsoft 365 for phishing submissions.

  • What is your typical timeline for deployment of this type of add-on?

  • Let your Expel engagement manager know you anticipate any significant delays in deploying the button.


If the above button can't be deployed, you can forward your phishing inbox submissions to Expel with original phishing email as an EML attachment to the custom forwarding email destination provided by Expel.

Expel Email Responses

  • Do you want Expel to send phishing outcome responses sourced from your security team email (adjustment of ‘from’ header)?

    • If your ‘Alignment Mode’ for DKIM/SPF is set to relaxed, (it is by default unless otherwise overridden) Expel generates a set of DKIM/SPF records which you need to add through your DNS provider.

    • If your ‘Alignment Mode’ for DKIM/SPF is set to strict, we need to have further discussions on how to best accommodate this setup.

      • If yes, do you use DKIM/DMARC?

      • If yes, how often do you run them? What vendor do you use?

  • Do you run phishing simulations?

  • Do you have a logo you can provide us for branding our responses back to your submitters?

    • If yes, provide to your engagement manager. Preference: 140 pixels wide, .png file.

  • What would you like responses to your submitters for the following to be?:

    • Acknowledgement emails - This is when we acknowledge we received the submission.

Default response:


Thanks for reporting a suspected phishing attempt. We’ll examine the provided email content and follow up when we’re done. If we find malicious content, we’ll include recommended next steps.

In the meantime, leave the suspect email alone. Don’t download attachments, click links, or reply to the sender.

Thank you,

Security Team

Benign/Safe email outcomes - This is after we've investigated and confirmed the email is safe to interact with.

Default response:


We've found the email “{subject}” to be a legitimate email which you're free to respond to, if needed. We appreciate your vigilance!

Thank you,

Security Team

Malicious/Not Safe outcomes - This is after we've investigated and confirmed the email is malicious and not safe to interact with.

Default response:


After investigation, we've identified the email “{subject}” as not safe and we are working on remediating. Please refrain from interacting with email or sender in the meantime. We appreciate your vigilance!

Thank you,

Security Team

Simulation emails - This is after we receive a submission resulting from a phishing simulation exercise.

Default response:


Congratulations! You identified the email “{subject}” as phishing, and it was in fact sent as a phishing simulation for training purposes. Continue to stay vigilant!

Thank you,

Security Team


  • Do you want to be paged during non-business hours if we need additional information from you before determining if an email is malicious?


This can result in pages late at night for emails that end up being benign/safe.