GSuite, O365 & eMail Protection in K12: A Large Scale DNS Record Analysis

Summary

This post looks at a large scale dataset of school district DNS records (more than 10,000) and offers two take aways. First it provides some quantitative evidence on the use of cloud mail and collaboration tools in K12 (specifically of Google and Microsoft) and second, it looks at how districts are (or are not) using the  simple measure available in DNS to lower the risk of  Phishing email attacks, like those that compromised computer systems at the DNC.

It is important to note that this was based on the “domain of record” and districts, and even individual schools may have have set up one or more of these systems on domains other than their primary domain. Additionally this looks at districts only and does not attempt to estimate the total number of users of either system by extrapolating District student and staff counts.

School Districts that use  GSuite (Google Apps for Education) and Microsoft Office 365 (O365) must make specific changes to their domain’s DNS entries in order to verify and use these tools. This means it is possible to estimate the general adoption of these two tools by examining the DNS records of K12 school districts.

A programmatic scan of school district domains of record (based on information from all 50 State Departments of Education)  in December 2016 found that for 10,915 domains 48% were using Google, 15% Microsoft Office 365, with less than 1% using both.

mx

This analysis was previously conducted in November 2013 using the same source data. At that time the % of Goggle Apps domains was essentially the same and the % of Office 365 domains was 5%.

Domains using Microsoft Office 365 showed a much higher rate of employing DNS record measures (SPF and DKIM) to reduce the risk of “spoofed” email than Districts using Google Apps.

Count SPF SPF% DKIM DKIM%
O365            1,641          1,161 98.17%                193 1.76%
Google Apps            5,229          3,133 59.92%                31 0.59%

Methodology:

School District domain addresses were identified and collected from their respective state Department of Education websites . While there are more than 14,000 school districts in the US, not all districts were listed with a domain, and in some cases where a domain was listed it was a only a web domain that did not correspond to a district’s email domain.  11,093 records were identified from which invalid URLs and domains with no MX record were eliminated, resulting in 10,915 domain addresses. This approach only looks at the domains of districts, not individual schools and only at what was determined to be the district’s primary domain. Actual use of either Google or Microsoft are greater due to the use of secondary district domains and individual school domains.

The DNS records for these domains were programmatically queried to look for specific entries that are required for the configuration of GSuite (Google Apps for Education) and for Microsoft Office 365 (O365).

Domain Verification:

Both Google Apps and Microsoft Office 365 require that the owner of a domain make a specific change to their DNS records in order to prove that they have control of the domain.

Microsoft Office 365 typically has a MX record entry that uses the format

 MS=msXXXX  (where XXXX is a long alpha numeric string)

GSuite (Google Apps for Education) typically uses a TXT record with the format:

google-site-verification=XXXX (where XXXX is a long alpha numeric string)

MX Records:

MX records control the routing of email and are a strong indicator that a domain is actively using a particular service (Google, Microsoft or other)

Microsoft Office 365 typically has a MX record entry that uses the format

 <domain.mail.protection.outlook.com>

GSuite (Google Apps for Education) typically has a MX record entry that uses the format:

aspmx.l.google.com or  alt<#>.aspmx.l.google.com

 

DNS Scan Results:

Approximately  25% of districts had started the setup process (verification) and did not complete the set up to the point of routing email through that system, of these, about half  ~12% also completed the verification and are routing mail with the other of the two tools. And only 25% of districts had no evidence of any Google Apps of Microsoft Office 365 DNS entries.

Count Percentage*
O365 MX Record      1641 15.03%
Google MX Record            5,229 47.91%
Both MX Records                  78 0.71%
No Google or O365 MX Record            3,967 36.34%
Google Verification, No MX Record            1,487 13.84%
O365 Verification, No MX Record            1,252 11.65%
O365 MX & Google Verification                535 4.98%
Google MX & O365 Verification                748 6.96%
No Google or O365 Entries 2,691 25.05%

 

*Categories overlap, so the total adds up to more than 100%

Securing eMail through DNS

Given the risk of  malware,  ransomware and worse that can be the result of spoofed email

SPF Records

Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain’s administrators.(source: Wikipedia).

Enabling SPF is done by adding a DNS record. The chart below show the percentage of domains scanned that had enabled SPF. The O365 districts showed a much higher rate of configuring the SPF setting.

Count SPF SPF%
O365 MX Record            1,641          1,161 98.17%
Google MX Record            5,229          3,133 59.92%
Other System (No Google or O365 MX Record)            3,967          1,790 45.12%
Both MX Records                  78                78 100.00%
Totals          10,915          6612 60.58%

DKIM

DomainKeys Identified Mail (DKIM) is an additional email authentication method designed to detect email spoofing. It allows the receiver to check that an email claimed to come from a specific domain was indeed authorized by the owner of that domain.It is intended to prevent forged sender addresses in emails, a technique often used in phishing and email spam. (source: Wikipedia)

DKIM use among K12 districts was negligible.

Count DKIM DKIM%
O365 MX Record           1,641                193 1.76%
Google MX Record             5,229                31 0.59%
No Google or O365 MX Record            3,967              5 0.13%
Both MX Records                78                  3 3.85%
Totals          10,915              232 2.13%

How to add these DNS settings in Google Apps and O365

School districts  using Google and Office 365 (and other email systems) can take simple measure to improve email security by enabling SPF, DKIM and DMARC.

  • Google settings can be found here for SFP, DKIM and DMARC
  • Microsoft Office 365 settings can be found here for SFP, DKIM and DMARC