[SOLVED]: Secured student email on Google Apps for Education.


How I secured student email on Google Apps for Education so students can only email each other and staff at school addresses.

I’m consulting with two middle schools on implementing Google Apps for Education. In both schools we are following a “viral” style of adoption, meaning we’ve started the service, and are working with a few interested teachers, who have found a few interested students, who in turn are using the service more, and getting others slowly into the fold. Our big struggle now is to make student accounts only be able to send and receive email only within our domain. I had great difficulty finding solid simple info on this on the web, so I’m posting my findings here as we progress.

If you’re NOT using Postini

Postini is a third party, blessed by Google, that filters and controls your email before it gets to your Google installation).

I don’t know if you SHOULD use Postini or not. I have found Postini has more control over all aspects of mail, but Google seems to be slowly building into Google parts of Postini that people use the most, and Postini is more complex. It also archives better too I think.

Since January 2011 Google allows you to control email right within Google Apps for Education. You can make sub-organization and let them only email people within their domain, and also not be able to receive email from anyone outside the domain. See: http://www.google.com/support/a/bin/answer.py?hl=en&answer=177482

You can also easily shut “off” email for subgroup now in Google without Postini. But that means that group, say students, can’t email each other at all. I think that’s a hassle because it is generally good to have teachers and students, within their domain, be able to email each other.

If you are using Postini

1. Activate Postini.

Google has a guide here on how to Activate Postini. I took notes below while I followed it.

You’ve got to be able to mess with MX records in the “cpanel” of your domain controls. This is who you registered your domain (blah.com) with. It has a log in and password and often rather easy controls. Or be in tight and responsive communication with an IT person who can. I activated Positini by Registering our Service with Postini in myApps control panel while managing my Apps domain.

Postini activate

Activation Sequence

A notice came up on my Apps Dashboard when Postini was activated. I followed the directions.

MX Record Instructions

And Changed the MX Records with my domain hosting service.

Example of MX Records Changed

I’m now waited a day or so.


And then did Step #4 and #5 in the Postini Activation Guide

2. Configure Postini

I downloaded the PDF: Using Postini Message Security with Google Apps Education Edition

configure postini for student safe email

Using Postini Once Activated

I signed in as a admin, and went to

Once I saw this screen.

I printed the PDF: Using Postini Message Security with Google Apps Education Edition, locked my office door, and slowly went through it from the first page, while drinking decaf.


  1. My first issue was that when creating a new “Sub-Org” the word “Staff” said “already exists” so I changed it to the initials of our school and “_Faculty_Staff” That worked.
  2. Then I had to “Move” all staff and faculty to that “Sub-Org” per the directions. I went to “Users” copied them in bulk to a spreadsheet. Then copied and pasted them in one column. I did a “search and replace” on “.org” and replaced with “.org,”
  3. Then I copied all the addresses with the commas into the “Move” field.
  4. I then continued to  follow the directions in the PDF, even thought I didn’t believe them.

And there was a TYPO!in the directions. On page 12, is says “Filter Type: Choose “does not contain,” but in the graphic you’ll see “does not match regex” and that is right. See below.

Internal Inbound Mail
 Any Rule
 Does NOT Match Regex

Internal Outbound Mail
 Any Rule
 Does NOT Match Regex

It works! Students can email each other and faculty within the domain. Any emails out get bounced back to them. Any email in from outside, get bounced.