Securing GMail for Google Apps for Education

Monitor the safety and security of minors when using electronic mail, chat rooms and other forms of direct electronic communications.”
– Excerpt from the Children’s Internet Protection Act, or CIPA (Source:

The CIPA law is clear in its intent. E-mail sent by students needs to be policed. Since most web-filters lack the ability to do this, schools normally end up blocking e-mail and chat. However, this is no longer an option with many schools turning to the free Google Apps for Education (GAfE) suite as the foundation on which they base their 1:1 initiatives. Part of GAfE is of course GMail, which students will need to use for a truly collaborative experience. The challenge here is that permitting students to use GMail allows them to log in with their consumer, or personal (as opposed to Google Apps) account. Consumer accounts cannot be policed and this opens the school up to liability. The problem is complicated by the fact that all GMail traffic is over SSL. Very few web-filters support the ability to decrypt SSL traffic. Securly recommends the following steps to secure GMail:

  • Intercept and decrypt GMail related SSL traffic. Achieving this normally involves pushing out root certificates provided by your filter vendor out to your end hosts.
  • Add the HTTP header X-GoogApps-Allowed-Domains, whose value is a comma-separated list with allowed domain name(s). Include the domain you registered with Google Apps and any secondary domains you might have added.
  • Archive GMail using an application like Vault (now free for schools). This makes all of the mail sent over your network searchable and keeps your school compliant.

To learn more about blocking consumer/personal GMail, check out our other post here.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s