Email Security Essentials

by Keith A. Bockwoldt, CETL

There is a fast growing trend with Phishing scams targeting school districts and businesses alike. Perpetrators are using social engineering tactics to trick people into giving up information. They’re researching organizational charts and reporting structures from your district’s website. This provides them with some initial information to start their scam.

One of the common ways a Phishing scam starts is when a spoofed email message is sent. A spoofed email looks like a legitimate email from another employee when in fact it’s not. Most of the time they involve a request from the superintendent, assistant superintendent, or other business official. Let’s take a look what a spoofed email looks like.

The scariest part is how quickly people reply to these types of emails. From the immediate nature of the email, staff are compelled to respond quickly. Once a reply is made, the perpetrator of the email starts a conversation to try and get a money wire transfer, payroll, W2 or other personal information from the district.

There are key indicators in the message that should be noticed by staff. First, the grammar is nothing a superintendent would send, even if it were sent from a phone. The superintendent also doesn’t have an iPhone. Not all staff may know this, but it’s important to note if a superintendent wanted this information, they would typically make a phone call.

What can you do to prevent these types of messages? Starting an awareness campaign can help staff understand why they should review these messages closer. This can be accomplished through email, or newsletter to staff. Some of the things you may want to consider as you start the awareness campaign:

  • Explain to staff how to identify poor grammar. In the example, the word vendor is capitalized, along with many other grammatical errors.
  • Hovering over the email name will typically expose the underlying email address where the email really came from. In the case of the email above, it was from (YourSuperintendent)
  • Even though the message indicates not to call, make a call to the superintendent or business office official to confirm the information being requested.
  • Don’t click on suspicious web links such as ones requesting to verify your email account and password information. Hovering over the web link will expose the URL the perpetrator is trying to send you to.
  • Use an email address to provide a feedback loop to report suspicious emails to the technology department. Once the technology department has the information, they can take measures to block phishing web links. If the email is widespread, the department may want to send an email blast out to staff identifying the email is a scam and to ignore. It’s equally important to have staff report if they complied with an illegitimate request.

There are additional steps that can prevent spoofed emails altogether. These measures have been around for some time, but industry as a whole hasn’t widely adopted.  This requires setup of three specific Domain Name Service (DNS) records.

These principles apply to any email system. For the purpose of this article, we’ll use examples from Google, since many school districts are using Google Apps for Education.

The first record to create is a Sender Policy Framework (SPF) record. A SPF record is a type of DNS TXT record that identifies which mail servers are permitted to send email on behalf of your domain. The purpose of a SPF record is to prevent spammers from sending messages with forged “From” addresses at your domain.

When an email comes into a Google email account, it will be marked as SPAM and put in the SPAM folder. The email below was sent from a domain in the Czech Republic using my email address. You will notice the violation warning from Google.

A link to Google support on the setup of the SPF record provides guidance on how to set it up: Google SPF record. Finally, to verify that your SPF record is live and working, just send a blank email message to from your Gmail address. You’ll receive an instant reply with the results of the SPF check. If you see a “pass” against the SPF check, it means the SPF record is working and should prevent your Gmail messages from getting rejected as SPAM.

The second DNS record to setup is called a Domain Keys Internet Mail (DKIM) record. DKIM uses DNS TXT records to define Domain Keys policy and public encryption keys for a domain name. Once the DKIM record is setup, there should be time set aside for propagation. Once this has taken place, authentication can be turned on the Google administration panel.

A link to Google support for the setup of the DKIM record provides guidance on how to set it up: Google DKIM record. The typical DKIM record is 2048 bit. Depending on if you host your own DNS servers, or if a hosting company is used, will depend on how the DKIM record can be setup. This is due to the way the long authentication string is formatted in DNS. A Google search on “DKIM DNS record character limit” yields many articles on this topic.

The last and final step is to create a Domain-Based Message Authentication Reporting and Conformance (DMARC) DNS record. At a high level, DMARC is designed to satisfy the following requirements:

  • Minimize false positives.
  • Provide robust authentication reporting.
  • Assert sender policy at receivers.
  • Reduce successful Phishing delivery.
  • Work at Internet scale.
  • Minimize complexity.

It is required to have the SPF and DKIM records setup before the DMARC record can be introduced. The anatomy of the DMARC record consists of three specific options for Google domains. If your district is not using Google Apps for Education, there are other options that can be used. More information can be found at:

The three options available for Google domains are:

  • none - Take no action. Log affected messages on the daily report only.
  • quarantine - Mark affected messages as SPAM.
  • reject - Cancel the message at the SMTP layer. The message will not be delivered to the intended recipient

When first setting up the DMARC record it’s important to use the “none” action. A daily report will be sent to the email address identified in the DMARC DNS record. The report is designed to identify how many spoofed messages are being sent or received from your domain. If any anomalies with email delivery are noticed, adjustments can be made to the record. 

Once the verification of mail flow is verified, you can move onto the “quarantine” or “reject” options. I always recommend using the “quarantine” option first and then setting the “reject” option after email flow is working as expected. This Google support article will walk through how to start slowly and then increase the percentages until 100% is achieved: Google DMARC record.

Equally important when setting up the DMARC record is to have a separate email account identified in the DMARC DNS record to receive the DMARC reports from companies that also use DMARC records. For example, don’t use your personal email address, since DNS records can be publically queried and expose your email address. Using an email address such as, or, which allows you to review the reports without exposing your email address and filling up your inbox.

These recommendations from will walk you through the successful deployment of the DMARC record.

  • Deploy DKIM & SPF. You have to cover the basics, first.
  • Ensure that your mailers are correctly aligning the appropriate identifiers.
  • Publish a DMARC record with the “none” flag set for the policies, which requests data reports.
  • Analyze the data and modify your mail streams as appropriate.
  • Modify your DMARC policy flags from “none” to “quarantine” to “reject” as you gain experience.

While it may seem a bit daunting to setup these records, with a little investigation and Googling, you’ll find a wealth of information. Following these steps can help in the war against Phishing scams and spoofed emails.

Keith A. Bockwoldt, CETL, is the Director of Technology Services for Township High School District 214 in Arlington Heights, Illinois. He was also named NSBA "20 to Watch".