Sending official emails in New Zealand? You’ll need DMARC now
Different countries treat email security differently, and it shows in how they handle DMARC.
The reason behind this could be that they’re exposed to a different threat landscape altogether, or maybe their priorities are different.
Well, New Zealand was one of those countries that didn’t have any strict DMARC norms until very recently.
It’s not like New Zealand never took email security seriously, but up until now, it did not have any mandatory guidelines or norms for DMARC. Instead, it relied on SEEMail, a secure email system used across government departments. But the problem was that there were no mandatory rules in place for broader email protection, especially when it came to DMARC and similar protocols.
As phishing and impersonation threats picked up, that gap became harder to ignore. So, the government took action. They introduced a new framework — Secure Government Email (SGE), and this time, DMARC isn’t optional. Every government agency is expected to take it seriously.
Let’s break down what the SGE framework includes and what it requires from government agencies.
Understanding the Secure Government Email (SGE) framework
We can’t say that the NZ government never saw email security as a priority, because that’s not the case. Yes, they were far behind with their SEEMail system, but now with the introduction of the Secure Government Email (SGE) framework, things are really changing.
What finally pushed the government to act wasn’t just the usual warnings or rising spam numbers. It was the fact that domains were being misused so rampantly, and there was no system in place to stop it.
Looking at the gravity of the situation, the government realized that email authentication is no longer an option; it’s a must-have, especially for government agencies and organizations that share high-stakes sensitive information. That’s why they brought in the SGE framework. Under SGE, government agencies are required to enforce DMARC with a stricter policy like “p=reject”, that too by October 2025. The goal is simple: make it harder for bad actors to fake official emails, and easier for citizens to trust what lands in their inbox.
The mandatory requirements of the Secure Government Email (SGE) framework
By now, it’s clear that the SGE framework is stricter and much more hands-on than what came before it. If you’re a government agency or managing a domain in the public sector, there are baseline requirements you simply have to meet. There’s no way around it. In fact, these guidelines are meant for all your domains, whether they’re actively sending emails or just sitting there. The reason behind this is simple: they don’t want to leave even a single point of entry for attackers.
Now, let’s take a look at what you’re supposed to do if you fall in the category of the public domain:
Domains that send emails
The email sending domains are most vulnerable, which is why it is important for the government agencies to go the extra mile to protect them. Here’s what you’re required to do by the New Zealand Information Security Manual (NZISM) under SGE.
- Implement DMARC: The primary requirement of SGE is that government organizations must enforce DMARC, specifically at “p=reject”, to ensure that any email failing authentication is blocked outright. This prevents unauthorised senders from spoofing your domain and protects recipients from falling for fake messages that look official.
- Implement SPF to complement DMARC: To properly fortify your official email ecosystem, you must add another layer of protection with SPF. SPF helps verify that emails coming from your domain are actually sent from servers you’ve approved. It’s a basic control, but an important one. Without it, anyone can try to send emails that look like they’re from you.
- Set up DKIM to maintain message integrity: For emails that carry sensitive information, which many government communications do, you need to ensure that nothing changes between the moment you send it and the moment it’s received. DKIM does this by attaching a cryptographic signature so that the receiving server can verify that the message hasn’t been tampered with.
- Prioritize encryption with MTA-STS and TLS-RPT: With data thefts becoming so common, encryption is no longer a nice-to-have; it’s a must-have. This is why, under the new SGE framework, agencies are required to enforce MTA-STS and ensure that emails are only delivered over secure, encrypted channels. In fact, they must also turn on TLS-RPT, which provides reports when something goes wrong.
- Enforce TLS across all email systems: If your organization sends official emails, your systems must support TLS version 1.2 or higher. Anything older than that isn’t secure enough, so disable it and move on to the latest version.
- Consider Data Loss Prevention: Since government emails carry sensitive information, the SGE framework mandates that you put DLP controls in place to prevent accidental or unauthorised data leaks.
Domains that don’t send emails
Under the new SGE framework, even the inactive domains are given due attention. But the norms are different for such domains. Let’s take a look:
- Set the record to v=spf1 -all so that no one can send emails from the domain.
- Add a placeholder like v=DKIM1; p= to block others from adding their own key.
- Use a strict policy. The record should look like:
v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:<sample email>;As we mentioned earlier, comprehensive security doesn’t end with setting up protocols; it also depends on maintaining them over time. You need visibility into what’s working, what’s failing, and where action is needed, and DMARC reports help you with exactly this and more.
If you need help monitoring your domain, want to see what’s working, what’s not, and where you’re exposed. We’re here to help! Our team at DMARCReport will help you gain the visibility and control you need to stay secure. Whether it is your active sending domains or forgotten parked domains, we can help you monitor and manage them all seamlessly! To get started, reach out to us or book a demo today!
