Service Description

This service helps PSUs strengthen their email security posture by leveraging the tools already at their disposal—primarily SPF, DKIM, DMARC, and the native security capabilities in Google Workspace and Microsoft 365.

This service combines a PSU-specific email DNS Record Analysis Report with collaboration platform configuration best practices to reduce phishing, spoofing, and Business Email Compromise (BEC). For most PSUs, properly configured built-in protections can mitigate the vast majority of email security issues without requiring additional paid email security products.

Purpose

Proper configuration of your Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC) DNS records plays a key role in enhancing your organization’s email security and deliverability. Email is one of the most common and effective attack vectors used against PSUs. Misconfigured or incomplete email DNS records, combined with default or underused platform security settings, can leave staff and students exposed to phishing, spoofing, and impersonation attacks. For most PSUs, the proper configuration of both your email platform’s security settings alongside your SPF, DKIM, and DMARC records will provide sufficient protection against most email threats.

The purpose of this service is to:

• Help PSUs understand their current email authentication posture through a clear, easy-to-read Email DNS Record Analysis Report.
• Provide actionable remediation guidance for SPF, DKIM, and DMARC aligned with K-12 needs.
• Ensure that Google Workspace and Microsoft 365 are configured to properly enforce these protections.
• Reduce reliance on ad-hoc or trial-and-error changes by giving PSUs consistent, K-12-focused best practices they can follow over time.

This service is intended to complement other NC K-12 Cybersecurity Program offerings and help execute the actions defined in the NC K-12 CORE Safeguards.

Security Domain

CIS Control 9 – Email and Web Browser Protection
NIST CSF – Protect: Data Security (PR.DS)
NIST 800-53 – System and Communications Protections

• Lower the chance of spoofed or modified emails from valid domains
• Protect against Phishing Attacks

About The Service

The Built-In Email Security Protections service is composed of two main components:

**Remember, you must be a member of the K-12 Cybersecurity Community Mailing list to access the PSU Cybersecurity Program Plan and other supporting materials.**
Subscribe here:   https://go.ncdpi.gov/NCK12CyberCommunityList

How to get this service

General Process

1. Please fill out the PSU Email DNS Record Analysis Form with your PSU email address.
2. You will receive access to a Google Drive folder unique to your PSU.
   • This folder will contain all current and future reports
3. If requested, you will receive communications from the Cybersecurity Program Team regarding any follow-up support
4. If any DNS Record changes are detected, a new report will be generated in your folder, and you will receive a notification

Please Note

• You will only be approved to access your PSU’s Email DNS Record Analysis Report
• If we missed one of your domains, please let us know on the form
• You must use your PSU-affiliated email to gain access
• If you have any questions about the report or would like assistance implementing any changes, please reach out to the service POC

Point of Contact

Name: K-12 DNS Email Security Admins
Email: k12_emailsecurity@lists.ncsu.edu

Resources

• NIST SP 800 800-81r3 Secure Domain Name System Deployment Guide
• MCNC Email Authentication Records Whitepaper
  • Guidance document created by John Warf that details SPF, DKIM, and DMARC best practices, alongside Google Workspace proper configurations.
• Proper Configuration Validators
  • SPF
  • DKIM
  • DMARC
  • BIMI
  • MTA-STS