Granular email restrictions

This relates to a wish for little kids to only be able to email their teachers and not other students.

Here's the documentation:

https://support.google.com/a/answer/9175444?hl=en

Here's the story in pictures:

1. Applied at the "all students" OU, a sending rule which adds "user-type: student" to the headers:

2. Applied at the "VERY Restricted email" OU (kids in grades 5 and under), a receiving rule which bounces emails that have that custom header content:

3. An overview of the inheritance:

4. An extra step support helped me figure out -- add "mailer-daemon@googlemail.com" to the "Restrict Delivery" whitelist (otherwise, the senders don't get the bounce message, it just silently fails):

This is the net result:

1. Students in grades 5 and below can NOT send or receive emails from ANY other student in the domain. If they try, they will get an auto-reject message and the email will not go through to the recipient.

2. Students in ALL grades CAN send and receive email with non-students (teachers) in the domain.

3. Students in grades 5 and below CAN send, but can NOT receive, email from students in grades 6 thru 8.

4. (As has always been the case) Students younger than 8th grade cannot send or receive emails with anyone outside of the domain, except for a whitelist of known services we use (e.g. Google, Apple, Meraki, etc.)

#3 is unavoidable without creating a horrific spaghetti of intertwining rules. But I really don't see it being an issue. If an older kid gets an email from a little kid, they can bring it to a grownup's attention, and it can be dealt with as a "teachable moment" for the youngster.