Locking Down the Inbox: 5 Essential Workspace Settings for K-12

Here is a quick checklist of the essential settings you need to secure your district’s email.

K-12 IT admins face a unique challenge: protecting students from digital harm while keeping educational tools accessible. Because email is often the frontline for phishing, malware, and inappropriate communication, securing Gmail in Google Workspace is a top priority.

1. Build a “Walled Garden” (Restricted Delivery)

For most students, there is no need to email anyone outside the district. A “walled garden” ensures they only communicate with approved peers and teachers.

  • Where: Apps > Google Workspace > Gmail > Routing > Restrict delivery
  • Restrict Student OUs so they can only send and receive emails within your district’s domains, adding exceptions only for approved third-party ed-tech tools and older students.

2. Authenticate with SPF, DKIM, and DMARC

Spoofing is a massive threat; bad actors will frequently impersonate principals or superintendents to trick staff.

  • Implement SPF (authorizes sending IP addresses) and DKIM (adds a tamper-proof digital signature). Ultimately, aim for a DMARC policy of p=reject to completely block unauthenticated emails and protect your domain reputation.

3. Maximize Phishing and Malware Protections

Google Workspace has robust safety features, but many strict protections are off by default to prevent false positives. Schools should lean toward stricter security.

  • Where: Apps > Google Workspace > Gmail > Safety
  •  Turn on warnings for unauthenticated emails, spoofed employee names, and untrusted links. Enable strict protections against encrypted attachments and scripts.

4. Leverage Content Compliance and DLP

Schools handle highly sensitive data and need guardrails against both data leaks and cyberbullying.

  • Where: Apps > Google Workspace > Gmail > Compliance
  • Set up Content Compliance rules to flag or reject profanity in student OUs. For staff OUs, use Data Loss Prevention (DLP) to detect and block sensitive PII (like SSNs or FERPA-protected data) from leaving the district.

5. Enforce 2-Step Verification (2SV) for Staff

All the email filtering in the world won’t help if a staff member’s account gets compromised and used to launch internal phishing campaigns.

  • Where: Security > Authentication > 2-step verification
  • While you shouldn’t enforce this for young students, all staff and administrators must have 2SV enforced.