The phishing report button identifies simulation emails through specific headers included in the emails sent by SMARTFENSE.
How does the detection work?
Simulation emails sent by SMARTFENSE include custom headers that allow:
Identifying the origin of the email
Distinguishing simulations from real emails
Associating the report with a user and a campaign
Headers used
X-PHISHINGSIMULATION
It is present in all Phishing and Ransomware emails
Its value is constant (unless modified from /whitelist)
It is mainly used for whitelist configurations
X-PHISHINGID
It is present in simulation emails associated with campaigns
It is not included in test sends
It is unique per user and campaign
This header allows:
Identifying that the reported email is a simulation
Associating the report with the corresponding user
Linking it to the specific campaign
Condition for recognition
For the phishing report button to recognize an email as a simulation:
The header X-PHISHINGID must be present
If this header is not present:
The email cannot be identified as a simulation
The report will be treated as a real email
Considerations
Both headers are part of the emails generated by the platform
Proper functioning depends on them not being modified or removed by intermediate tools
Security solutions or email gateways may alter headers
💡 Best practices
Verify that headers are not removed by security tools
Validate behavior through test campaigns
Properly configure the whitelist according to the documentation