Ngaio o te rāngai mātauranga
Education professionals
Guidance and resources for our education workforce, including principals, teachers and kaiako.
Mā ngā mātua me te whānau
Parents and caregivers
Information and guidance about your child's learning and development from early learning to school and kura and tertiary education.
Ngā kaiwhakarato me ngā kaikirimana
Suppliers and providers
News, guidance and resources for service providers, contractors and suppliers working with schools, kura, and early learning services.
Ā mātou mahi
Our work
About the work we do, who we are, and the policies and legislation that guide the education sector.

How to configure email security settings

Our recommended email filtering security settings for schools and kura.

Date published: 19 February 2025

27 mins to read

On this page

Our recommendation: Use Network for Learning's email protection service
Google Workspace security settings
Additional settings
Microsoft 365 security settings
Using Microsoft’s recommended security policies

Our recommendation: Use Network for Learning's email protection service

We recommend your school or kura uses Network for Learning (N4L)'s service, which is fully funded. This should be used in addition to your email service’s baseline security settings.

N4L email protection services – N4L

N4L email protection FAQs – N4L

If you want to speak to someone, you can contact their customer support team.

Email: [email protected]

Freephone (NZ only): 0800 LEARNING (532 764)

This is a separate service to N4L’s Safe and Secure Internet.

If you prefer to configure your own settings, we also have recommended settings for Google and Microsoft. Read our guidance below.

Google Workspace security settings

We recommend your school implement the following settings. To implement these changes, you will need admin access to your school’s Google Workspace.

Settings to protect your email domain from spoofing

Spoofing is where an unauthorised person sends emails as your school.

You will need to have security settings in place to prevent spoofing. This means emails you send, such as your school newsletter, are not classed as spam for parents, caregivers and whānau | families.

These settings are:

Sender Policy Framework (SPF)
Domain-based Message Authentication, Reporting and Conformance (DMARC)
Domain Keys Identified Mail (DKIM).

See more information on what these settings are and how they work.

Protecting your email domain from spoofing

If you do not have an information technology (IT) provider, we strongly recommend you join SchoolDNS. Liverton Security can help you move to SchoolDNS and implement SPF, DKIM DMARC at the same time.

Implementing Sender Policy Framework (SPF)

SPF is an email authentication standard that lets receivers of your emails know that they are coming from a legitimate source. It also informs email providers what they should do with emails that do not match the SPF records.

Guidance on implementing SPF on your Google Workspace.

Mail security configurations - sender policy framework

Guidance on implementing SPF on your Google Workspace

0:04

today we're going to talk about SPF SPF

0:08

stands for sender policy framework and

0:11

is not covered off with inside your

0:13

Google workspace admin console

0:15

I've redirected you to this help center

0:17

article that you can see that Google

0:20

provides lots of different information

0:21

around the setting and configuration

0:25

SPF is configured within your domain

0:28

registrar or DNS portal which is the

0:32

external records on your domain

0:35

what is BF does that validates what

0:38

sending systems are authorized to send

0:40

mail on behalf of your school domain

0:44

if your SPF is not configured if it's

0:48

invalid or misconfigured that means your

0:52

messages have a high chance of being

0:54

marked as spam

0:55

by the receiving systems

0:59

we want to ensure SPF is configured

1:01

correctly within your school environment

1:08

if you give this a quick Google you'll

1:11

be redirected to this house in the

1:13

article or you'll find the links in the

1:15

Clara that we've shared

1:18

it's important to set up SPF accurately

1:21

and this helps enter article will guide

1:23

you through on how you can do that with

1:25

some specific details

1:30

on a basic level your SPF should be

1:33

configured to look like this

1:37

this means that

1:39

if you've configured your domains such

1:41

as this allows Google to be authorized

1:44

to send messages on behalf of your

1:46

domain

1:48

and it'll be marked as trusted

1:51

you may be wondering how can I check my

1:54

ESP record and determine if it is

1:56

created or that is valid there are

1:59

third-party systems and tools they can

2:01

look up this information on your behalf

2:04

one of these examples is theme margin

2:07

ESPN surveyor

2:10

you can find this website and this URL

2:13

that I'll enter here

2:16

com slash sbf-survey

2:20

and you'll come to this page that we're

2:22

on now

2:24

this is a great pool where you can look

2:26

up if your SPF has set up correctly

2:28

I will now demonstrate on how this would

2:31

look like and how you can perform this

2:33

lookup yourself

2:36

in gruner domain

2:39

that is yours or anyone else's for that

2:42

matter

2:44

I've typed in this domain and we'll

2:46

select survey domain

2:50

as you can see it returns a no SPF

2:52

record is found for this domain

2:55

if you've entered in your school domain

2:57

and it returns this information

3:00

we recommend you that you review the

3:02

steps of Google to set up SPF and reach

3:05

out to your it administrator and DNS

3:08

registrar to get these records updated

3:10

accurately

3:13

once you're done though you can come

3:15

back to this page and check that it is

3:17

valid

3:19

some other examples that we can include

3:21

and look at

3:28

we can say the expl record is valid

3:33

which is great news ignoring the

3:35

awarding that this site gives you as is

3:37

going on to the next steps in terms of

3:38

synapse and DMACC which will cover off

3:41

at a later date

3:43

as you scroll down you can see on how

3:46

does this beef record is configured

3:53

it's like the KB article

3:55

here we can see that this SPF recorder

3:59

is configured exactly the same and is

4:01

valid

4:03

for a Google school this is configured a

4:06

hundred percent accurately

4:08

you may be using third-party systems

4:11

that need to send email on behalf of

4:13

your school

4:14

if that is the case you'll need to tweak

4:17

your SPF record accordingly to cater for

4:20

Google and third-party systems that may

4:23

be sent an email on your behalf

4:26

one example of this

4:28

can be found here

4:37

again we see the e3f record is valid and

4:41

as we scroll down we can see that the

4:43

ESPN frequent looks slightly different

4:45

we can see it includes Google singing

4:47

systems so Google is a trusted system

4:50

for this school domain as long with a

4:53

third-party application or sending relay

4:57

so that is how you would cater for it or

5:00

perhaps you might enter in a specific IP

5:02

address for the application

5:07

a small diagram to demonstrate what SPF

5:10

looks like and how it may work

5:13

basically we see if you're the sender

5:17

we have your inbound mouth over with

5:20

Google or any other recipient mail

5:23

server will look at your domain we'll

5:26

look at the esbf record see what systems

5:29

are allowed

5:30

and once it's determined what systems

5:33

allow determine if your message came

5:36

from that system or it did not

5:38

if your if the methods came from the

5:41

ESPN3 called trusted system the method

5:44

is authenticated

5:47

it is trusted and is delivered to the

5:49

user's inbox

5:52

as the singing system did not match the

5:55

sending systems SPF record

5:58

we can see it as unauthenticated and in

6:01

most cases it has moved to spam

6:03

quarantine or blocked depending on their

6:05

systems configuration

6:08

does impact your reputation for your

6:11

domain

6:12

as this information is shared and

6:14

available by lease third-party systems

6:18

analyzing your SPF records and inbound

6:20

mail

6:21

it is therefore a very

6:24

necessary to ensure that your SPF

6:26

circuit is set up correctly it is

6:28

accurate

6:29

so that third-party mail systems that

6:32

you send to your external users

6:35

can ensure that mail is trusted and

6:38

delivered accurately

6:42

again if you have any questions around

6:44

SBF in the policy framework

6:48

reach out to your it administrator

6:51

have a read of the Google workspace

6:53

articles they provide some great videos

6:56

and examples and we'll walk you through

6:58

the setup within your third party domain

7:00

registrar

7:02

thank you for watching

Implementing Domain Keys Identified Mail (DKIM)

DKIM adds a digital signature to your outgoing emails so that you can prove you are who you say you are to the email recipient.

Increase security for outgoing email with DKIM – Google

Implementing Domain-based Message Authentication, Reporting and Conformance (DMARC)

DMARC builds off SPF and DKIM. It tells email providers what they should do with emails that do not match the SPF or DKIM records – allow, quarantine (often into spam or junk), or block.

Increase security for forged spam with DMARC – Google

Pre-delivery scanning

This feature provides an additional level of protection by scanning emails for potential phishing prior to being sent to users. This is a straightforward configuration to enable. See the video below for the steps to do this.

Mail Security Configurations - Spam, Phishing and Malware Setting

Pre-delivery scanning

0:05

hello in this video we cover off the

0:08

sitting around pre-delivery message

0:10

scanning

0:11

this is a great feature from Google and

0:14

highly recommended that it is enabled to

0:17

prevent

0:18

pushing emails from being delivered to

0:20

your users

0:21

you can find the signal under apps

0:24

Google workspace and Gmail

0:29

and the spam fishing and malware

0:31

you'll find the option to enable

0:33

pre-delivery message scanning

0:37

as you can see it is already on here if

0:40

it is not on in your environment

0:43

click into the seating

0:45

make sure the box is checked and hit

0:47

save

0:49

as you see this may cause a small delay

0:52

of delivery of certain messages

0:55

when Google detects suspicious content

0:57

the message delivery is slightly delayed

1:00

so Google can complete additional

1:01

Security checks on the message to ensure

1:05

it is not a phishing message

1:08

if it is a phishing message a warning or

1:11

will be displayed or the message will be

1:13

moved to the spam label

1:16

however this delay is not lengthy we're

1:19

talking about seconds

1:21

in under a minute so users will not be

1:24

aware of it

1:26

is highly recommended to enable this to

1:29

protect your account from being

1:30

compromised by phishing emails

1:33

thank you

Blocked senders

If your staff or students are receiving unwanted emails, such as spam or phishing, you can easily block the senders.

Block senders

Mail Security Configurations - Spam, Phishing and Malware Settings

0:04

hello today we're going to configure a

0:07

blocks in this list

0:09

you can find a setting under apps Google

0:13

workspace and Gmail

0:16

select Gmail

0:19

scroll down the menu and you'll come

0:21

across spam fiction and malware which if

0:23

you need to select

0:28

within this section you have numerous

0:30

different settings today we're going to

0:32

focus on

0:33

the Block in this

0:35

this is where you can do specific email

0:38

addresses or domains to be blocked so

0:41

the emails do not arrive to your

0:43

students or teachers

0:44

select configure

0:48

give the rule a specific name

0:51

blocked Kindles

0:54

as you can see no lists have been

0:56

created or applied yet

0:58

let's create a new Block in this list

1:01

this will open up a new tab within your

1:03

browser

1:04

and we can create add block lists

1:08

give it a name

1:11

12 fingers

1:15

and we can add email addresses and

1:18

domains

1:19

into this list of addresses

1:22

these are addresses and domains that we

1:24

wish to block from being able to send

1:25

into our environment

1:30

you can add multiple entries here by

1:32

selecting add address

1:33

[Music]

1:53

as you can see I've made three entries

1:56

two of these are domains we're in the

1:58

address or email coming from these

2:00

domains will be blocked and one is the

2:03

individual user

2:05

that means other users it does domain

2:08

control send emails

2:10

select save

2:15

we'll go back to our previous tab where

2:18

we were configuring the fitting

2:21

we do have no less applied yet to the

2:24

rule so we can select use existing list

2:28

we're going to select block hinders and

2:31

we can see it's got the three entries

2:32

that we just created

2:37

Google will automatically reject

2:39

messages from these addresses or domains

2:42

if you choose to do so you can add your

2:45

own customized rejection notice or

2:47

otherwise Google will silently block

2:49

these messages without informing the

2:52

sender

2:55

flick save

3:01

as you can see the setting has been

3:03

applied

3:04

in the future if you wish to add more

3:06

addresses to this configuration you

3:09

can't select edit

3:12

go create either list

3:17

and you can edit the list that we've

3:18

previously created

3:22

add or remove whatever entries you need

3:25

and then select save and it will

3:27

automatically apply to your blocks in

3:29

this list

3:32

foreign

3:36

thank you for configuring a block in

3:38

this list.

DNS settings mail exchange record configuration from Gmail

Mail exchange (MX) records determine where your email messages are delivered to. The correct MX records will ensure successful mail delivery via Google. When you do not have an MX record, the sender’s computer will not know where to send their email to.

We recommend talking to your IT provider or IT lead to review this configuration setting.

DNS Settings MX Record configuration for Gmail

Mail Security Configurations

0:04

hello today we're going to talk about MX

0:07

records

0:09

MX records determine where your email

0:11

messages are delivered to and which

0:13

system they are sent to

0:15

to view how your MX records are

0:17

configured click on apps

0:20

Gmail

0:23

and setup

0:27

here we can see that your mixed record

0:29

section and where we can see the

0:32

different records that have been

0:34

configured

0:35

these records are all pointing to Google

0:38

this means that when someone emails a

0:40

reception of our domain

0:42

the message will be sent to Google it

0:45

will then pass it on to the relevant

0:46

user mailbox

0:49

it is highly recommended to check that

0:51

your MX records are up to date and

0:53

correct for the email system that you

0:55

have

0:59

as we can see these are configured

1:00

correctly if you're using Google as your

1:03

email provider

1:05

if you have a third-party email

1:07

filtering system such as proof point

1:10

or mimecast your MX records May point to

1:14

these Services instead before messages

1:16

are redirected back

1:18

and that is okay

1:21

if you do need to make changes to your

1:22

emx records this cannot be done inside

1:24

Google

1:26

this needs to be done on your domain

1:28

registrar level within your DNS

1:31

this is something that you're here to

1:33

control or one of your it providers will

1:35

look after this on your behalf

1:39

so you will need a request that your DNS

1:41

is updated and changed to be in

1:43

accordance with the MX for a good State

1:45

you require

1:47

thank you for watching.

Disabling POP and IMAP

POP and IMAP allow users to sync their school Gmail account with another email provider, such as Microsoft Outlook or Apple Mail. Unfortunately, this is also a common method cyber criminals use to hack your emails. We recommend disabling it for your school.

Client Access - POP and IMAP

Mail Security Configurations

0:07

and Welcome to our Google workspace

0:09

security tab today we're going to look

0:11

at disabling pop and IMAP

0:14

but first of all let's have a look at

0:17

what users in which users are using pop

0:20

in IMAP protocols

0:22

to run the report in the admin console

0:25

select reporting

0:27

reports

0:29

use the reports and security

0:34

here you'll find a whole bunch of

0:35

different security metrics against the

0:37

user accounts

0:40

as you scroll across you'll see there

0:42

are numerous different columns including

0:44

when Gmail and IMAP was last used and

0:47

Gmail POP was last used

0:49

if you do not see these columns select

0:52

the gear icon to manage your columns

0:55

that are visible

0:56

and select to add a new column

1:00

as you can see as I browse down my users

1:03

have never used Gmail and pop and

1:06

therefore I know it is safe to disable

1:09

you may find it easier to export this

1:12

information through a Google

1:15

to a Google think so you can perform a

1:18

better analysis over your user accounts

1:20

if you have a long list of users

1:23

once if you performed your analysis and

1:25

determine if pop and iMac can be

1:27

disabled

1:28

we can go and disable pop in IMAP

1:32

to do so

1:33

browse to apps Google workspace and

1:37

Gmail

1:43

scroll down until you get the end user

1:46

access

1:47

click end user access

1:51

here you'll see Pop and I'm at access

1:55

flick the top value

1:59

to apply the heading to all users

2:02

within your Google workspace tenant

2:05

as you can see in our example enable

2:08

IMAP and POP access is already disabled

2:12

this is the ideal situation pop and IMAP

2:15

uses Legacy and secure protocols to sync

2:19

user data

2:22

if you're if you have not disabled your

2:25

IMAP and your pop access look at

2:29

unclicking IMAP and POP access within

2:32

your admin console

2:34

you may find a new report that all users

2:37

are not using pop and it can be for

2:40

disabled

2:41

if you find that this is the case leave

2:45

IMAP selected

2:47

and untick popping access pop access for

2:50

your users

2:52

once you've done so select save

2:58

in this situation pop has been disabled

3:02

the IMAP is stored out to be used

3:05

this is not an ideal situation

3:08

in therefore we can carry on making a

3:12

more granular exception we can do this

3:15

by utilizing Google Groups

3:18

as you can see policies can be applied

3:20

to organizational units

3:22

that are listed here and also Google

3:25

Groups

3:26

so let's go ahead and create a Google

3:29

group

3:33

under directory groups

3:38

we will create a new group

3:41

and we'll call it IMAP

3:43

access

3:52

we'll create this as a security group as

3:54

it does not need to be mail enabled

3:58

may get restricted

4:00

and only invited users can access the

4:03

group

4:06

and the group is now created

4:11

the relevant members that need IMAP

4:13

access into your group

4:16

once you've done so select done

4:21

we can now go back to our pop and IMF

4:24

settings on the Gmail

4:28

end user access

4:33

and we can see that IMAP access is still

4:35

enabled under OU

4:37

instead we can select groups

4:41

select the group that we just created

4:47

and we can apply the relevant settings

4:51

yeah

4:53

so we can leave IMAP enabled for this

4:56

Google group

4:57

and select save

5:02

sometimes you may need to

5:04

re-authenticate

5:06

if you've been in your admin console a

5:08

long time

5:14

let's just double tick our

5:15

configurations

5:18

often you will need to redo the setting

5:20

of a timed out while you're saving as we

5:23

can see it's still not fit

5:26

so we'll select save

5:30

and we can see that the the policy has

5:32

now been applied to the Google group

5:37

we can go back to our organizational

5:39

unit now

5:40

go to our top level

5:43

select the top level policy and disable

5:45

IMAP

5:47

we can do this because the users to

5:49

continue to have access while the Google

5:51

group policy and therefore you can limit

5:54

who gets this policy quite easily

5:58

you can now look at phasing our iMac

6:00

access within your school environment.

Additional settings

These settings will provide an additional level of protection to your school.

Security Sandbox

Google’s ‘security sandbox’ scans incoming email message attachments for malicious software and viruses. If the sandbox detects a malicious attachment, it will not be sent to the recipient.

Spam, Phishing and Malware Settings Security Sandbox

Mail Security Configurations

0:05

hello and welcome to another Google

0:07

workspace security tip today we're

0:10

covering off the security sandbox

0:11

setting

0:13

you'll find a student under apps

0:15

Google workspace

0:17

and Gmail

0:21

browse now until you come across spam

0:23

fashion and malware

0:28

and here you'll find the security

0:30

sandbox

0:31

select the top of you so you know the

0:34

setting will be applied to everyone in

0:36

all accounts

0:39

the security sandbox enables Google to

0:43

open up any message attachments before

0:45

they're delivered to your mailboxes to

0:47

make sure they don't have any malicious

0:49

software or viruses ransomware or Sarah

0:52

day attacks within them

0:54

essentially to make sure that these

0:57

messages and attachments are safe before

0:59

they're delivered to your end users

1:02

this setting is only available to the

1:04

education plus Google license SKU

1:07

and therefore if you're on the

1:08

fundamentals you will need to request a

1:11

free upgrade to Education Plus

1:14

to enable this setting for all users

1:17

click into it and just check the setting

1:21

and hit save

1:24

this will apply to all messages coming

1:26

into your school

1:27

that the attachments are scanned to

1:29

ensure that there are safe

1:31

if you do not want to Target all users

1:34

or all messages

1:36

we can have some options around security

1:39

sandbox rules

1:41

instead of enabling for all users we can

1:45

untick that and click save

1:47

and we can make custom rules to Target

1:49

specific emails only

1:54

some examples are just listed below

1:56

where you maybe wish to adjust its

1:59

Target incoming messages from external

2:01

users only

2:03

to do so we will create a new rule

2:06

and in this circumstances we'll just

2:08

edit the existing rule

2:11

give the rule a title

2:13

we want to impact inbound messages only

2:16

and not internal receiving which are

2:18

your internal messages from users to

2:20

users

2:22

where the message is directed to a

2:26

recipient that has your school domain

2:29

and if these two matches the security

2:32

sandbox will run

2:34

once they've configured the rule

2:36

accordingly you can hit save

2:39

you have a lot of different options here

2:41

to configure to limit on where this rule

2:44

is exposed to

2:45

but the recommendation is to apply this

2:48

rule to everyone

2:51

to apply it to everyone

2:53

we just ignore creating any rules and

2:56

just tick this box at the top

2:59

virtual overwrite any custom rules

3:06

you have now configured the security

3:08

sandbox rule which will protect and scan

3:12

email attachments to avoid your users

3:14

receiving any malicious attachments in

3:17

their mailboxes

3:19

thank you.

Email allowlist

An allowlist creates a list of trusted addresses. This means appropriate emails can reach your staff and students, instead of their spam mailbox.

Email Allowlist

Mail Security Configurations

0:04

hello today we're gonna configure the

0:08

email allow list

0:09

you can find the setting within your

0:11

admin console

0:13

select the menu bar

0:15

select app

0:16

your workspace and in Gmail

0:21

scroll down the page until you come

0:22

across the spam version malware section

0:24

and select this

0:29

you'll find the email allowed us at the

0:32

top

0:33

in this setting we can configure our IP

0:35

addresses of truster senders where

0:37

Google will not mark them as spam and

0:40

will not perform any evaluation on these

0:42

sending IPS

0:45

as you can see summer Pages have already

0:48

been configured

0:50

if you want to add or remove any IPS

0:52

select a little edit icon

0:55

and then you can just

0:57

add or remove increase as required with

1:00

a comma separating them

1:02

it is recommended to keep this list very

1:04

minimal and to keep it reviewed often

1:08

and ensure that the IP addresses are

1:10

still relevant

1:12

if an IP address is no longer relevant

1:15

just select it

1:17

remove it

1:19

and then hit save

1:23

it is very important to only enter an IP

1:25

addresses of trusted systems

1:28

and recommended to only target internal

1:31

systems or applications that you're

1:34

aware of and utilize internally

1:37

if it's just one particular email that

1:39

you need to whitelist or a particular

1:41

offender you may

1:43

have an option to use an approved sends

1:45

list instead

1:47

we'll cover off a proofs in this list in

1:50

a different video

1:52

thank you for reviewing the email about

1:54

list.

Comprehensive mail storage

Comprehensive mail storage generates email notifications when you use Google services. For example:

creating a Google calendar event
sharing a Google Drive file.

This stores a copy in the sender’s mailbox which could be useful for tracking or investigations.

Safety Settings Comprehensive Mail Storage

Mail Security Configurations

0:05

hello today we're going to look at

0:08

covering off enabling comprehensive mail

0:11

storage

0:12

to find this setting in your admin

0:15

console browse to apps

0:17

select Google workspace and then select

0:19

Gmail

0:22

browse down the menu

0:25

until you find compliance and select the

0:27

compliance area

0:30

within this section section there are a

0:33

few different settings today we're going

0:35

to focus on the comprehensive mail

0:37

storage

0:39

as you can see this is currently off for

0:41

our school domain

0:43

we want to enable this to ensure that a

0:46

copy of all sent and received mail is

0:48

stored within the user's mailbox

0:51

there are numerous different Google

0:53

services such as calendar Drive Google

0:57

key forms where users can send and

1:01

generate emails when they create a

1:03

calendar event or share a document or

1:06

share a keep note

1:07

and I can add comments even comments

1:11

within drive for example trigger email

1:13

notification

1:14

so when these email notifications are

1:16

triggered we want to ensure that

1:20

a copy of that is stored in the senders

1:25

mailbox this is for retention purposes

1:28

and to keep a history within Google

1:32

Vault when Google vault is enabled

1:37

so we're going to select the edit icon

1:41

click the Box

1:42

and collect override

1:50

make sure you do this at your top level

1:52

are you

1:56

and as you can see the setting is now

1:59

enabled

2:00

the theme does not create any impacts or

2:04

alerts or notifications to your end user

2:06

something that can be slightly enabled

2:08

in the background and messages if

2:12

they're being sent through these

2:13

third-party tools or third-party mail

2:15

relays of Google there'll be a copy of

2:19

these messages will be stored in the

2:21

sent items of the user's mailbox

2:24

this is perfect for tracking purposes

2:26

and if you need to do any investigations

2:28

using Google vault at a later date

2:32

thank you for enabling concert

2:34

comprehensive mail storage and for

2:37

watching this video today.

Automatic forwarding

We recommend turning off automatic email forwarding. This is to avoid phishing or spam emails from being sent on. Forwarding addresses should be reviewed and managed by administrators, as explained in this video.

Client Access - Automatic Forwarding

Mail Security Configurations

0:05

hello today we're going to review the

0:08

automatic mail forwarding configuration

0:12

find this feeding within your admin

0:14

console select apps Google workspace in

0:18

Gmail

0:24

browse now until you come over to end

0:27

user access

0:32

here you'll find a few different

0:34

settings we're going to focus on

0:36

automatic forwarding

0:38

as you can see

0:40

allow users to automatically forward

0:42

incoming emails to another address as

0:44

enabled

0:46

best practice is to disable this to stop

0:49

your end users from managing their own

0:51

forwarding

0:52

rules

0:54

the reasons behind this is that in most

0:56

circumstances mail has been forwarded

0:58

off to either a personal account being

1:00

at gmail.com or Yahoo or Hotmail

1:04

and there is no visibility of these

1:07

messages being forward outside of your

1:09

school domain and outside of your

1:10

control

1:11

this can lead to data leakage once your

1:14

account or user has left the school

1:18

and it's best to be controlled from an

1:20

admin perspective

1:23

turning off automatic forwarding does

1:26

not affect users from forwarding

1:28

specific messages manually from their

1:30

inbox they can still select reply or for

1:33

forward a specific message on the

1:35

individual basis but this disables

1:38

though but this disables the option for

1:41

users to do automatic forwarding to

1:44

forward all messages to another

1:46

recipient

1:48

it is good practice to communicate out

1:50

to your users before disabling this

1:53

but once you have done so you can select

1:56

the edit configuration

1:58

and select to unthick

2:02

once you've disable the setting hit save

2:10

automated forwarding is now disabled

2:13

if in the circumstance that a user

2:16

request that email is forwarded to

2:17

another user whether one teacher goes on

2:20

leave and another teacher needs to view

2:22

their emails or so forth you can still

2:25

do this from the admin level

2:27

the best place to do that is within

2:30

another setting and will find us under

2:32

Gmail

2:36

we'll scroll down

2:39

until we come to routing

2:45

and we can configure

2:49

email forwarding using recipient address

2:52

mapping

2:55

we can click configure

2:58

give it a short description email

3:00

forwarding

3:03

and no address mappings have yet been

3:05

added

3:08

basically we can click add and we can

3:11

say we want to forward from this user to

3:14

another user and it'll automatically do

3:17

so

3:24

so I am selecting this user and

3:27

forwarding it on to either a colleague

3:28

or it can be an external recipient

3:34

if need be

3:36

again as an admin you can ensure that

3:39

these requests are legitimate for a

3:41

specific purpose

3:44

once the address has been added

3:47

you can choose to forward all messages

3:50

or just external incoming messages

3:53

in most circumstances will always

3:55

forward all messages

3:57

and you can author truth to leave a copy

3:59

within the original mailbox which is

4:01

recommended

4:05

again select save

4:12

14 is now enabled using the recipient

4:16

address map you can put multiple rules

4:19

under the same forward email forwarding

4:21

rule set that we've just created to do

4:23

so select edit

4:25

and then select add to add additional

4:27

addresses and accounts to forward to

4:30

different destinations

4:43

hitting select save

4:46

the same rules will apply to all

4:48

incoming messages are saved and a copy

4:51

is left in the original mailbox

4:59

you have now disabled email forwarding

5:02

for your end users to utilize and now

5:05

managing it from an admin perspective

5:07

thank you for making these changes and

5:10

securing your email environment.

External reply warning

An external reply warning appears when you draft an email to someone who is not within your school. This helps to prevent emails being sent to the wrong person.

Client Access - External Reply Warning

Mail Security Configurations

0:05

hello welcome to another Google

0:08

workspace security tip today we're going

0:10

to look at the external reply warning

0:13

to find the setting look in your admin

0:16

console menu go to apps

0:20

Google workspace in Gmail

0:25

scroll down until you come across end

0:27

user access and select

0:32

here we find the warn 4 external

0:35

recipients

0:36

we want to ensure it does sitting the

0:38

smart face on as shown as here

0:41

having this enabled will mean that if an

0:44

external recipient is addressed in an

0:46

email conversation a warning will be

0:48

shown before the message is sent and

0:50

also in the compose message

0:53

this is just to ensure that users are

0:56

aware that they're emailing externally

0:58

and whether they are meant to do so and

1:01

also to prevent data leakage or accent

1:04

or messages from being sent externally

1:08

if it is showing it off selected edit

1:10

icon

1:12

and took the setting to enable

1:15

once you do have done so you can choose

1:18

to save the setting

1:22

thank you for enabling one for external

1:24

recipient and securing your domain

1:26

further.

Disable Gmail web offline

We recommend turning off Gmail web offline in case a device is lost or stolen. Gmail web offline allows users to read, respond to, and search emails from their device when they are not online, for example when they are travelling.

Client Access - Gmail Web Offline

Mail Security Configurations

0:04

hello welcome to another Google

0:07

workspace security tip today we're going

0:10

to focus on Gmail offline

0:12

to find Gmail offline speeding browse

0:15

through apps

0:16

Google workspace and select email

0:21

at the top under user settings you'll

0:24

find email offline

0:29

here we can enable and disable Gmail web

0:33

offline

0:34

it is recommended to disable Gmail web

0:37

offline

0:39

for your users

0:41

Gmail web offline means that users can

0:44

access Gmail while being offline I.E if

0:47

they're traveling without an internet

0:48

connection

0:50

best practices to disable it in case the

0:53

device is compromised lost stolen that

0:56

the data is not retained and accessible

1:00

as you can see it is really off

1:03

if it is honor within your domain

1:06

select the edit icon

1:09

came out with offline

1:13

foreign

1:17

circumstances you may require female web

1:20

offline for your teachers that are

1:22

traveling or students that are traveling

1:24

and need the offline access

1:27

we can make exceptions to this rule by

1:29

utilizing a Google group

1:33

prior to this create a Google group

1:36

called Gmail offline

1:38

I've already done so and so you can see

1:41

here that we're applying the policy

1:43

through to organizational units

1:46

you can apply this policy to Google

1:48

Groups

1:50

select the Google group

1:57

and make adjustments to the policy

2:01

here you can see that the policy is not

2:03

fit through the through the Google group

2:06

so we're going to edit it

2:10

and click on

2:14

it was always good practice the fourth

2:16

collection of offline data when the user

2:18

finds out of their Google account

2:20

solar is not retained on the device

2:22

once you're done first click save

2:27

this policy is now being enabled on the

2:30

Google group called Gmail offline

2:33

enabled

2:36

if you need to know

2:38

you can add members through this group

2:40

in the positive board will be

2:42

automatically applied

2:46

just to return to the setting

2:49

we can double click that on our

2:51

organizational units Gmail web offline

2:54

is off

2:56

and if someone does need access

2:58

temporarily while they're traveling

3:00

we can see we have the Google group

3:02

created

3:07

and the policy is applied to allow Gmail

3:10

offline

3:11

so all you need to do is to add those

3:13

users to the Google group

3:16

thank you for making these changes to

3:19

secure your Google environment.

Deactivate test domain alias

We recommend turning off Google’s default test alias. This is an account that is set up using your school domain, for example [email protected] followed by .test-google-a.com.

Cyber criminals may try to use this test domain alias to email phishing attacks to other schools or organisations from your own email address.

Mail Domains - Test Domain Alias

Mail Security Configurations

0:05

hello today we're going to look at your

0:07

test domain alias

0:10

within your Google admin console browse

0:13

to account

0:15

domains and manage domains

0:19

this will list all the different domains

0:21

within your Google workspace tenant that

0:23

have been set up

0:25

Google by default will always provide a

0:27

test domain alias

0:30

to you what you can use to email your

0:32

users

0:33

or it will always follow the naming

0:36

Convention of your domain name followed

0:38

by test googlea.com

0:42

test domain Alias does not need to be

0:46

active

0:47

and is your performance specific test

0:50

look to deactivate the test domain Alias

0:53

by select and deactivate

0:56

hit and accepting the prompt that Google

0:58

provides you

1:00

select deactivate test domain Alias to

1:03

confirm your selection

1:06

your test domain Alias is now inactive

1:09

it is best practice to make this

1:12

Testament Alias inactive to avoid

1:15

malicious parties from attempting to

1:17

email your users using this test domain

1:19

alias

1:21

thank you for watching this video.

Microsoft 365 security settings

We recommend your school implement the following settings. To implement these changes, you will need admin access to your school’s Microsoft 365.

Settings to protect your email domain from spoofing

Spoofing is where an unauthorised person sends emails as your school.

You will need to have security settings in place to prevent spoofing. This means emails you send, such as your school newsletter, are not classed as spam for parents, caregivers and whānau.

These settings are:

Sender Policy Framework (SPF)
Domain-based Message Authentication, Reporting and Conformance (DMARC)
Domain Keys Identified Mail (DKIM).

For more information on what these settings are and how they work, see the link below.

Protecting your email domain from spoofing

If you do not have an IT provider, we strongly recommend you join SchoolDNS. Liverton Security can help you move to SchoolDNS and implement SPF, DKIM DMARC at the same time.

Implementing Sender Policy Framework (SPF)

SPF is an email authentication standard that lets receivers of your emails know that they are coming from a legitimate source. It also informs email providers what they should do with emails that do not match the SPF records.

Implementing Domain Keys Identified Mail (DKIM)

DKIM adds a digital signature to your outgoing emails so that you can prove you are who you say you are to the email recipient.

By default, Microsoft will sign outgoing emails on your behalf. You can change this so that your outgoing emails will be signed by your school domain.

Set up DKIM to sign mail from your Microsoft 365 domain – Microsoft

Implementing Domain-based Message Authentication, Reporting and Conformance (DMARC)

DMARC builds off SPF and DKIM. It tells email providers what they should do with emails that do not match the SPF or DKIM records – allow, quarantine (often into spam or junk), or block.

You can also use DMARC to create reports that help you to identify everything that is sending email for your email domain. This can help you identify malicious spoofing of your email domain. We recommend that a DMARC reporting service is used to create easily readable reports.

Set up DMARC to validate the From address domain for senders in Microsoft 365 – Microsoft

Using Microsoft’s recommended security policies

If you have an IT provider or an IT lead, you can set up additional security policies. Microsoft has pre-defined best practice security control settings for email. These settings build upon their default security settings.

When Microsoft adds an additional security setting due to a new cyber threat, the settings for your school will automatically be updated.

Choose between standard and strict policies

Microsoft provides 2 settings:

Standard protection – provides a suitable level of security for most users against spam, phishing, and malware (malicious software).
Strict protection – provides more comprehensive protection for staff who receive a lot of spam or phishing or have admin accounts.

We recommend implementing standard protection for all users to start. Upgrade selected users to strict if they experience large numbers of phishing emails.

Read more information on the different settings between default, standard and strict.

Recommended settings for EOP and Microsoft Defender for Office 365 security – Microsoft

Implementing standard or strict policies

To implement these policies you will need to have admin access to your Microsoft tenancy. Microsoft has steps to follow.

Enable Security Presets in Microsoft Defender for Office 365 – Microsoft

THIS PAGE IS FOR

Suppliers and providers