Sending official emails

Sending official emails in New Zealand? You’ll need DMARC now

ByBrad Slavin
Sending official emails in New Zealand? You’ll need DMARC now
Sending official emails in New Zealand? You’ll need DMARC now
/

Different countries treat email security differently, and it shows in how they handle DMARC.
The reason behind this could be that they’re exposed to a different threat landscape altogether, or maybe their priorities are different

Well, New Zealand was one of those countries that didn’t have any strict DMARC norms until very recently. 

It’s not like New Zealand never took email security seriously, but up until now, it did not have any mandatory guidelines or norms for DMARC. Instead, it relied on SEEMail, a secure email system used across government departments. But the problem was that there were no mandatory rules in place for broader email protection, especially when it came to DMARC and similar protocols.

phishing and impersonation threats


As phishing and impersonation threats picked up, that gap became harder to ignore. So, the government took action. They introduced a new framework — Secure Government Email (SGE), and this time, DMARC isn’t optional. Every government agency is expected to take it seriously.

Let’s break down what the SGE framework includes and what it requires from government agencies.

Understanding the Secure Government Email (SGE) framework

We can’t say that the NZ government never saw email security as a priority, because that’s not the case. Yes, they were far behind with their SEEMail system, but now with the introduction of the Secure Government Email (SGE) framework, things are really changing. 

What finally pushed the government to act wasn’t just the usual warnings or rising spam numbers. It was the fact that domains were being misused so rampantly, and there was no system in place to stop it

email authentication

Looking at the gravity of the situation, the government realized that email authentication is no longer an option; it’s a must-have, especially for government agencies and organizations that share high-stakes sensitive information. That’s why they brought in the SGE framework. Under SGE, government agencies are required to enforce DMARC with a stricter policy like “p=reject”, that too by October 2025. The goal is simple: make it harder for bad actors to fake official emails, and easier for citizens to trust what lands in their inbox.

The mandatory requirements of the Secure Government Email (SGE) framework

By now, it’s clear that the SGE framework is stricter and much more hands-on than what came before it. If you’re a government agency or managing a domain in the public sector, there are baseline requirements you simply have to meet. There’s no way around it. In fact, these guidelines are meant for all your domains, whether they’re actively sending emails or just sitting there. The reason behind this is simple: they don’t want to leave even a single point of entry for attackers

Now, let’s take a look at what you’re supposed to do if you fall in the category of the public domain:

Domains that send emails

Domains that send emails 

The email sending domains are most vulnerable, which is why it is important for the government agencies to go the extra mile to protect them. Here’s what you’re required to do by the New Zealand Information Security Manual (NZISM) under SGE.

  • Implement DMARC: The primary requirement of SGE is that government organizations must enforce DMARC, specifically at “p=reject”, to ensure that any email failing authentication is blocked outright. This prevents unauthorised senders from spoofing your domain and protects recipients from falling for fake messages that look official.
  • Implement SPF to complement DMARC: To properly fortify your official email ecosystem, you must add another layer of protection with SPF. SPF helps verify that emails coming from your domain are actually sent from servers you’ve approved. It’s a basic control, but an important one. Without it, anyone can try to send emails that look like they’re from you.
  • Set up DKIM to maintain message integrity: For emails that carry sensitive information, which many government communications do, you need to ensure that nothing changes between the moment you send it and the moment it’s received. DKIM does this by attaching a cryptographic signature so that the receiving server can verify that the message hasn’t been tampered with.
  • Prioritize encryption with MTA-STS and TLS-RPT: With data thefts becoming so common, encryption is no longer a nice-to-have; it’s a must-have. This is why, under the new SGE framework, agencies are required to enforce MTA-STS and ensure that emails are only delivered over secure, encrypted channels. In fact, they must also turn on TLS-RPT, which provides reports when something goes wrong.
  • Enforce TLS across all email systems: If your organization sends official emails, your systems must support TLS version 1.2 or higher. Anything older than that isn’t secure enough, so disable it and move on to the latest version
  • Consider Data Loss Prevention: Since government emails carry sensitive information, the SGE framework mandates that you put DLP controls in place to prevent accidental or unauthorised data leaks.
DLP

Domains that don’t send emails 

Under the new SGE framework, even the inactive domains are given due attention. But the norms are different for such domains. Let’s take a look: 

  • Set the record to v=spf1 -all so that no one can send emails from the domain.
  • Add a placeholder like v=DKIM1; p= to block others from adding their own key.
  • Use a strict policy. The record should look like:
v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:<sample email>;

As we mentioned earlier, comprehensive security doesn’t end with setting up protocols; it also depends on maintaining them over time. You need visibility into what’s working, what’s failing, and where action is needed, and DMARC reports help you with exactly this and more. 

If you need help monitoring your domain, want to see what’s working, what’s not, and where you’re exposed. We’re here to help! Our team at DMARCReport will help you gain the visibility and control you need to stay secure. Whether it is your active sending domains or forgotten parked domains, we can help you monitor and manage them all seamlessly! To get started, reach out to us or book a demo today

Similar Posts

Flushing DNS Cache: A Step-By-Step Guide to Troubleshoot Your Connection

Flushing DNS Cache: A Step-By-Step Guide to Troubleshoot Your Connection

ByBrad Slavin

In the digital age, a stable internet connection is like oxygen for our devices—essential and often taken for granted. Yet, we’ve all experienced those annoying moments when web pages refuse to load or seem stuck in limbo. If you’ve found yourself shaking your head at the screen, wondering what went wrong, there’s a simple trick…

How to Check if Your Email Authentication Is Set Up Correctly for DKIM, DMARC, SPF & BIMI
| |

How to Check if Your Email Authentication Is Set Up Correctly for DKIM, DMARC, SPF & BIMI

ByBrad Slavin

Email authentication is crucial in the digital world, but employing email authentication protocols like DKIM, DMARC, SPF, and BIMI correctly is more important. This post looks into why businesses need email authentication, the invisible challenges of email security, what DKIM, DMARC, SPF, and BIMI are, and how to check if your email authentication is set…

4 sectors that need email authentication the most and why

4 sectors that need email authentication the most and why

ByBrad Slavin

We are living in times where you have to think twice before clicking. But despite being mindful about what websites you visit and what links you download, you and your business are not 100% shielded from cyberattackers. Since the launch of ChatGPT in November 2022, vishing, smishing, and phishing attacks have increased by a staggering…

Decoding I-Tag DKIM Vulnerability and Its Impact on Email Deliverability and Security

Decoding I-Tag DKIM Vulnerability and Its Impact on Email Deliverability and Security

ByBrad Slavin

If you thought that authentication standards like Domain-based Message Authentication, Reporting, and Conformance (DMARC) and Brand Indicators for Message Identification (BIMI) were enough to maintain the integrity of your email communication, you are probably mistaken! According to a recent report published by Estonian security researchers, there exists a significant flaw in the DomainKeys Identified Mail…

How To Stop Spoofing Emails: Effective Security Techniques To Prevent Phishing

How To Stop Spoofing Emails: Effective Security Techniques To Prevent Phishing

ByBrad Slavin

Email spoofing is becoming a common issue that many of us encounter, often masquerading as a trusted source to trick us into revealing sensitive information. Imagine opening your inbox only to find a message that looks like it’s from your bank, but it’s actually from a cybercriminal. Frustrating, right? Spoofing emails can lead to significant…