Kinds Security vs KnowBe4: Phishing Simulation Delivery and False Positives

Kinds Security vs KnowBe4: Phishing Simulation Delivery and False Positives

KnowBe4 sends simulated phishing over SMTP with required allowlisting and tracking pixels. Kinds injects tests through the Microsoft Graph and Gmail APIs with no pixels. Full comparison.

The short version: KnowBe4 delivers simulated phishing over SMTP and asks customers to allowlist its mail so security filters let the tests through. It tracks opens with a tracking pixel in each email. Kinds Security injects tests directly into mailboxes through the Microsoft Graph and Gmail APIs, uses no tracking pixels, and measures opens by checking the mailbox's own read state. That design difference is why KnowBe4 maintains false-positive troubleshooting guides and Kinds does not need them.

Facts below come from each vendor's own documentation, checked July 10, 2026.

Does KnowBe4 require allowlisting for phishing simulations?

Yes. KnowBe4 sends simulated phishing over SMTP, so customers must allowlist its sending infrastructure. For Microsoft 365 that means configuring Advanced Delivery Policies, smart hosting, or SPF and DKIM records. KnowBe4 publishes a detailed Whitelisting Guide and a Whitelisting Wizard to walk admins through the setup.

Allowlisting tells your email security stack to stand down for KnowBe4's mail. That makes SMTP delivery workable, but it has two side effects. First, it is setup work that has to be maintained as your mail stack changes. Second, once the mail is inside, tools like link scanners and link rewriters still touch it. That is where false positives start, and KnowBe4's knowledge base covers the topic at length.

Does KnowBe4 use tracking pixels?

Yes. KnowBe4's documentation describes "the small tracking image that we place in each phishing email." The pixel records if and when a user opens the message, and clicks are tracked through the links in the email. This is standard for SMTP-delivered simulation, and it is exactly the mechanism security scanners can trip by accident.

When a secure email gateway, a link rewriter, or a sandbox inspects a message, it can load that pixel or follow those links. The platform then records an open or a click that no human made. KnowBe4 documents these causes itself: link scanners, link rewriters, secure email gateways, VirusTotal submissions, mobile link previews, and bot clicks.

Why did KnowBe4's API-based delivery stop working on Microsoft 365?

KnowBe4 built Direct Message Injection (DMI) to place tests into mailboxes through Microsoft and Google APIs, skipping allowlisting. Microsoft then retired the ApplicationImpersonation role that DMI's Microsoft connector depended on. New assignments were blocked starting September 2024, and Microsoft confirmed the retirement was complete on March 13, 2025.

KnowBe4's own knowledge base now tells Microsoft 365 customers to move off DMI and back to Advanced Delivery Policy allowlisting. DMI still exists for Google Workspace through the Gmail API's insert scope. To be precise: the breakage was specific to Microsoft, and it happened because of a Microsoft platform change, not a KnowBe4 mistake. The result for buyers is the same either way. On Microsoft 365, KnowBe4 delivery today means SMTP plus allowlisting.

How does Kinds Security deliver and track phishing simulations?

Kinds places each simulated phish directly in the mailbox through the current Microsoft Graph API or Gmail API. Nothing travels over SMTP, so there is nothing to allowlist. There are no tracking pixels. Kinds records an open by polling the message's read state through the same APIs, every 5 minutes for 15 days.

This is why false positives do not happen by design. Scanners, link rewriters, and email gateways interact with mail in transit and with links. None of that flips the read flag on a message sitting in the mailbox. An open only counts when the mailbox itself says the message was read. There is no pixel to load and no allowlist entry to maintain.

How do the two delivery models compare?



Kinds Security

KnowBe4

Delivery method

API injection via Microsoft Graph and Gmail API

SMTP; API injection (DMI) deprecated for Microsoft 365, still available for Google Workspace

Allowlisting required

No

Yes for Microsoft 365 (Advanced Delivery Policies, smart host, or SPF/DKIM)

Open tracking

Mailbox read state, polled every 5 minutes for 15 days

Tracking pixel in each email

False positives from security tools

None by architecture

Documented; dedicated evasion settings and a remediation guide

Template library

About 850 curated templates

25,000+ templates

Reporting and response

Built in

Phish Alert Button, plus PhishER as an add-on

What does KnowBe4 do about false positives?

KnowBe4 handles the problem with tooling rather than architecture. It ships a False-Positive Phishing Evasion Settings page and an Identify and Address False Positives guide. These are mature, well-documented features. They also confirm the problem is real and ongoing. One G2 reviewer wrote that KnowBe4 "kicks out a lot of false positives so we use Microsoft instead."

Bottom line

KnowBe4 brings scale: 25,000+ templates, the Phish Alert Button, PhishER for response workflows, and a 4.6 out of 5 rating on Gartner Peer Insights across 2,469 reviews. If you want the deepest template library and you have staff to maintain allowlisting and tune out noise, it delivers. If you want phishing data you can trust without allowlist maintenance or pixel noise, that is the exact problem Kinds' API-injection design exists to solve. You can try Kinds free for 21 days, no demo call needed.

FAQ

Does allowlisting weaken email security? It creates a standing exception for the vendor's simulated phishing. Admins have to scope it carefully and keep it current as the mail stack changes.

Can Kinds tests get caught by spam filters? No. They never pass through mail flow. The API writes them into the mailbox directly.

Does KnowBe4 still offer API injection anywhere? Yes, for Google Workspace via the Gmail API. Its knowledge base recommends allowlisting for Microsoft 365.

What counts as an open in Kinds? The mailbox's own read state, checked every 5 minutes for 15 days. A scanner cannot change that flag.

Always automated.
Nothing to manage.

Leave Training & Simulated Phishing to us.

Leave Training & Simulated Phishing to us.

Always automated.
Nothing to manage.

Leave Training & Simulated Phishing to us.

Always automated.
Nothing to manage.

Leave Training & Simulated Phishing to us.

© 2026 Kinds Security Inc. All rights reserved.

© 2026 Kinds Security Inc. All rights reserved.

© 2026 Kinds Security Inc. All rights reserved.