This article explains how SID works, why it's a secure and authorized method, and how it helps you get true results from your Security Awareness Training (SAT) program.
What is Symbol Inbox Delivery (SID)?
Symbol Inbox Delivery (SID) is a feature that places simulation emails directly into your users' Microsoft 365 or Google Workspace inboxes. Instead of using traditional email (SMTP), which must pass through all your security layers, SID uses official APIs to deliver simulations, ensuring they arrive exactly as intended for accurate testing.
Think of it like this: Sending an SMTP email is like mailing a postcard—it gets handled, sorted, and potentially inspected by many machines (gateways) along the way. Using SID is like a trusted courier hand-delivering a sealed envelope directly to the recipient's desk, bypassing the sorting office entirely.
Frequently Asked Questions
Q: How does SID work? Is it exploiting a vulnerability?
A: Absolutely not. SID is part of a controlled and authorized phishing simulation program. Unlike threat actors that exploit vulnerabilities, SID is a legitimate and approved delivery method, set up individually for each organization. No backdoors or loopholes are involved.
Q: How is SID different from other "gateway bypass" techniques?
A: SID uses the Microsoft Graph API/Google API, not traditional email protocols like SMTP. This means emails are securely inserted into inboxes using a modern, token-based authentication method. It's a completely different, legitimate approach compared to other types of gateway bypasses used by malicious actors.
Q: Where do these SID emails come from? Are they secure?
A: Emails delivered through SID do not come from unknown or third-party servers. They are sent through Symbol’s secure and trusted infrastructure, making every simulation controlled, monitored, and fully traceable through our platform. You maintain complete visibility and control.
Q: Does SID use brands' real email domains to send simulations?
A: No. To safely simulate real-world phishing tactics, SID uses authorized simulation domains (often called "Doppelgänger Domains") that are similar to popular brands' domains. For example, a simulation might use @ntflix.com instead of the real @netflix.com. This crucial technique trains users to spot the subtle domain spoofing that real phishers rely on, all within the safety of a controlled exercise.
Q: If SID bypasses security tools, doesn't that weaken my security posture?
A: Not at all. The purpose of SID is to bypass scanning and automated link-clicking by security tools for simulation emails only, so that your training results reflect actual user behavior, not email gateway behavior. It does not interfere with your security rules or allow unauthorized access. Its role is simply to ensure that simulation emails are delivered as intended, without being filtered or altered, giving you a true measure of human risk.
Q: Do I have to use SID? What are my options?
A: SID is optional for running your SAT programs. You can choose to disable SID and use traditional emails for delivering phish simulations. In this case, whitelisting Symbol's infrastructure within your email environment is critical to ensure simulations are delivered and not blocked as false positives.
If you choose the traditional method, we highly recommend reviewing these guides to configure your environment correctly:
- Whitelisting Symbol’s IPs and domains
- Advanced Delivery Policies in Microsoft Defender
- How to Whitelist Symbol’s URLs using Microsoft SafeLinks in Microsoft Defender
Q: Can I use SID for assignment and reminder notifications?
A: Yes! When you have an active SID integration, Symbol will automatically deliver your transactional emails—including assignments, training reminders, domain/email threats, and others—via SID as well. No extra configuration is required. Simply having SID active enables this feature. If, for any reason, we cannot deliver a transactional email via SID, we will automatically fall back to the standard email method.
Summary: Why Use SID?
SID is the key to obtaining accurate and actionable data from your phishing simulations. SID provides a secure, controlled, and highly effective method to enhance your security awareness training, ensuring you're always testing the right thing: your people.
Need help configuring SID or have more questions? Please contact our support team for further information.