--- title: "Sending official emails in New Zealand? You’ll need DMARC now | DMARC Report" description: "DMARC (RFC 7489) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible From header." image: "https://dmarcreport.com/og/blog/sending-official-emails-in-new-zealand-youll-need-dmarc-now.png" canonical: "https://dmarcreport.com/blog/sending-official-emails-in-new-zealand-youll-need-dmarc-now/" --- Quick Answer DMARC (RFC 7489) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible \`From\` header. According to Google's February 2024 bulk sender requirements, a DMARC policy of at least \`p=none\` is now mandatory for any domain sending 5,000+ messages per day to Gmail users. DMARC Report Related: [Free DMARC Checker](/tools/dmarc-checker/) ·[How to Create an SPF Record](/tools/spf-record-generator/) ·[SPF Record Format](/blog/spf-format-checker-dos-and-donts-for-email-authentication/) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fsending-official-emails-in-new-zealand-youll-need-dmarc-now%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Sending%20official%20emails%20in%20New%20Zealand%3F%20You%E2%80%99ll%20need%20DMARC%20now&url=undefined%2Fblog%2Fsending-official-emails-in-new-zealand-youll-need-dmarc-now%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fsending-official-emails-in-new-zealand-youll-need-dmarc-now%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fsending-official-emails-in-new-zealand-youll-need-dmarc-now%2F&title=Sending%20official%20emails%20in%20New%20Zealand%3F%20You%E2%80%99ll%20need%20DMARC%20now "Share on Reddit") [ ](mailto:?subject=Sending%20official%20emails%20in%20New%20Zealand%3F%20You%E2%80%99ll%20need%20DMARC%20now&body=Check out this article: undefined%2Fblog%2Fsending-official-emails-in-new-zealand-youll-need-dmarc-now%2F "Share via Email") ![Sending official emails in New Zealand? You’ll need DMARC now](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg) ## Try Our Free DMARC Checker Validate your DMARC policy, check alignment settings, and verify reporting configuration. [ Check DMARC Record → ](/tools/dmarc-checker/) ![Dmarc analyzer 6677 150x150](https://media.mailhop.org/dmarcreport/images/2025/07/dmarc-analyzer-6677-150x150.jpg) > The organizations that invest in email authentication early save themselves from expensive incidents later, says Vasile Diaconu, Operations Lead at DuoCircle. We see the pattern constantly: a domain gets spoofed, customers lose trust, and the remediation effort costs 10x what proactive DMARC setup would have cost. DMARC ([RFC 7489](https://datatracker.ietf.org/doc/html/rfc7489)) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible `From` header. According to Google’s February 2024 bulk sender requirements, a DMARC policy of at least `p=none` is now mandatory for any domain sending 5,000+ messages per day to Gmail users. DMARC Report Sending official emails in New Zealand? You’ll need DMARC now ```

00:00 ``` / ``` 2:04 ``` RSS Feed ``` Share Link Embed ``` /\*! This file is auto-generated \*/ ’ title=“Embed Code” class=“input-embed input-embed-29329” readonly/> ``` ``` Different countries treat [email security](https://dmarcreport.com/blog/why-email-security-matters-and-how-to-get-it-right/) differently, and it shows in how they handle DMARC. The reason behind this could be that they’re exposed to a different threat landscape altogether, or maybe their **priorities are different**. Well, New Zealand was one of those countries that didn’t have \*\*any strict DMARC norms until very recently. It’s not like New Zealand never took email security seriously, but up until now, it did not have any mandatory guidelines or norms for [DMARC](https://dmarcreport.com/what-is-dmarc/). Instead, it relied on SEEMail, a secure email system used across government departments. But the problem was that there were no mandatory rules in place for broader **email protection**, especially when it came to DMARC and similar protocols. ![Dmarc record](https://media.mailhop.org/dmarcreport/images/2025/07/dmarc-record-7802.jpg) As [phishing and impersonation threats](https://cybersecuritynews.com/threat-actors-weaponize-pdfs-to-impersonate-microsoft-docusign-dropbox/) picked up, that gap became harder to ignore. So, the government took action. They introduced a new framework - Secure Government Email (SGE), and this time, DMARC isn’t optional. Every government agency is expected to take it seriously. Let’s break down what the SGE framework includes and what it requires from **government agencies**. ## What Is Secure Government Email (SGE) framework? We can’t say that the \*\*NZ government never saw email security as a priority, because that’s not the case. Yes, they were far behind with their [SEEMail](https://www.lawinsider.com/dictionary/secure-electronic-environment-mail-seemail) system, but now with the introduction of the Secure Government Email (SGE) framework, things are really changing. As of 2025, DMARC is mandatory under multiple compliance frameworks. [CISA BOD 18-01](https://www.cisa.gov/news-events/directives/bod-18-01) requires p=reject for US federal domains. [PCI DSS v4.0](https://www.pcisecuritystandards.org/) mandates DMARC for organizations processing payment card data as of March 2025\. Google and Yahoo require DMARC for bulk senders (5,000+ messages/day) since February 2024, and [Microsoft began rejecting](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure) non-compliant email in May 2025\. The UK [NCSC](https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing), Australia’s [ASD](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-email), and Canada’s [CCCS](https://www.cyber.gc.ca/en/guidance/implementation-guidance-email-domain-protection) all mandate DMARC for government domains. Cyber insurers increasingly require DMARC enforcement as an underwriting condition. _What finally pushed the government to act wasn’t just the usual warnings or rising spam numbers. It was the fact that domains were being misused so rampantly, and there was no system in place to stop it_. ![What is dmarc](https://media.mailhop.org/dmarcreport/images/2025/07/what-is-dmarc-4897.jpg) Looking at the gravity of the situation, the government realized that [email authentication](https://dmarcreport.com/blog/why-email-security-matters-and-how-to-get-it-right/) is no longer an option; it’s a must-have, especially for \*\*government agencies and organizations that share high-stakes sensitive information. That’s why they brought in the SGE framework. _Under SGE, government agencies are required to enforce DMARC with a stricter policy like “p=reject”, that too by October 2025_. The goal is simple: make it harder for bad actors to [fake official emails](https://www.independent.co.uk/news/world/americas/crime/trump-inauguration-crypto-scam-nigeria-b2782960.html), and easier for citizens to trust what lands in their inbox. ## The mandatory requirements of the Secure Government Email (SGE) framework By now, it’s clear that the SGE framework is stricter and much more hands-on than what came before it. If you’re a government agency or managing a domain in the [public sector](https://en.wikipedia.org/wiki/Public%5Fsector), there are baseline requirements you simply have to meet. There’s no way around it. In fact, these guidelines are meant for all your domains, whether they’re actively sending emails or just sitting there. _The reason behind this is simple: they don’t want to leave even a single point of entry for attackers_. Now, let’s take a look at what you’re supposed to do if you fall in the **category of the public domain**: ![Dmarc check](https://media.mailhop.org/dmarcreport/images/2025/07/dmarc-check-8520.jpg) ## Domains that send emails The email sending domains are most vulnerable, which is why it is important for the government agencies to go the extra mile to protect them. Here’s what you’re required to do by the [New Zealand Information Security Manual ](https://nzism.gcsb.govt.nz/)(NZISM) under SGE. - \*\*Implement DMARC: \*\*_The primary requirement of SGE is that government organizations must enforce DMARC, specifically at “p=reject”, to ensure that any email failing authentication is blocked outright_. This prevents unauthorised senders from spoofing your domain and \*\*protects recipients from falling for [fake messages](https://www.usatoday.com/story/money/2025/03/05/toll-road-text-scam/81651486007/) that look official. - \*\*Implement SPF to complement DMARC: \*\*To properly fortify your official email ecosystem, you must add another layer of protection with SPF. [SPF](https://dmarcreport.com/what-is-spf/) helps verify that emails coming from your domain are actually sent from servers you’ve approved. It’s a basic control, but an important one. Without it, anyone can try to send emails that look like they’re from you. - \*\*Set up DKIM to maintain message integrity: \*\*For emails that carry sensitive information, which many government communications do, you need to ensure that nothing changes between the moment you send it and the moment it’s received. [DKIM](https://dmarcreport.com/what-is-dkim/) does this by attaching a [cryptographic signature](https://www.ibm.com/docs/en/food-trust?topic=automation-cryptographic-signatures) so that the receiving server can verify that the message hasn’t been tampered with. - \*\*Prioritize encryption with MTA-STS and TLS-RPT: \*\*With data thefts becoming so common, encryption is no longer a nice-to-have; it’s a must-have. This is why, under the new SGE framework, agencies are required to enforce [MTA-STS](https://dmarcreport.com/blog/what-is-mta-sts-and-why-you-need-it-for-email-security/) and ensure that emails are only delivered over secure, encrypted channels. In fact, they must also turn on **TLS-RPT**, which provides reports when something goes wrong. - **Enforce TLS across all email systems:** If your organization sends official emails, your systems must support [TLS](https://www.cloudflare.com/learning/ssl/transport-layer-security-tls/) version 1.2 or higher. _Anything older than that isn’t secure enough, so disable it and move on to the latest version_. - **Consider Data Loss Prevention:** Since government emails carry sensitive information, the SGE framework mandates that you put [DLP](https://www.fortinet.com/resources/cyberglossary/dlp) controls in place to prevent accidental or unauthorised [data leaks](https://www.poconorecord.com/story/news/2024/08/14/what-to-do-if-your-data-was-leaked-in-the-national-public-data-leak/74796229007/). ![Dmarc alignment](https://media.mailhop.org/dmarcreport/images/2025/07/dmarc-alignment-6072.jpg) ## Domains that don’t send emails Under the new SGE framework , even the inactive domains are given due attention. But the norms are different for such domains. Let’s take a look: - Set the record to v=spf1 -all so that no one can send emails from the domain. - Add a placeholder like v=DKIM1; p= to block others from **adding their own key**. - Use a strict policy. The record should look like: `_v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:;_` As we mentioned earlier, comprehensive security doesn’t end with \*\*setting up protocols\*\*; it also depends on maintaining them over time. You need visibility into what’s working, what’s failing, and where action is needed, and DMARC reports help you with exactly this and more. If you need help monitoring your domain , want to see what’s working, what’s not, and where you’re exposed. We’re here to help! Our team at [DMARCReport](https://dmarcreport.com/) will help you gain the visibility and control you need to stay secure. Whether it is your active sending domains or forgotten parked domains, we can help you monitor and manage them all seamlessly! To get started, reach out to us or **book a demo today**! ## Sources - [CISA Binding Operational Directive 18-01](https://www.cisa.gov/news-events/directives/bod-18-01) - [Microsoft Outlook DMARC Enforcement May 2025](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure) (2025) - [PCI DSS v4.0 - DMARC Requirement](https://www.pcisecuritystandards.org/) (2025) - [RFC 7489 - Domain-based Message Authentication, Reporting, and Conformance (DMARC)](https://datatracker.ietf.org/doc/html/rfc7489) ## Topics [ dkim ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ email security ](/tags/email-security/)[ SPF ](/tags/spf/) ![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Take control of your DMARC reports Turn raw XML into actionable dashboards. Start free - no credit card required. [Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) ## Related Articles [ Foundational 8m 10 Critical Learnings From Verizon’s 2021 DBIR - A DMARCReport Perspective Nov 25, 2025 ](/blog/10-critical-learnings-from-verizons-2021-dbir-a-dmarcreport-perspective/)[ Foundational 12m 10 DNS Blacklist Insights That Improve Email Security And Deliverability Fast Nov 14, 2025 ](/blog/10-dns-blacklist-insights-to-improve-email-security-and-deliverability/)[ Foundational 12m 10 Email Spoofing Detection Tools That Dramatically Improve Brand Protection Nov 11, 2025 ](/blog/10-email-spoofing-detection-tools-that-dramatically-improve-brand-protection/)[ Foundational 12m 10 Reasons SPF Filtering Is Critical For Email Security Nov 19, 2025 ](/blog/10-reasons-spf-filtering-is-critical-for-email-security/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"Sending official emails in New Zealand? You’ll need DMARC now","description":"DMARC (RFC 7489) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible From header.","url":"https://dmarcreport.com/blog/sending-official-emails-in-new-zealand-youll-need-dmarc-now/","datePublished":"2025-07-09T11:13:58.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2025-07-09T11:13:58.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://dmarcreport.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/sending-official-emails-in-new-zealand-youll-need-dmarc-now/"},"articleSection":"foundational","keywords":"dkim, DMARC, email security, SPF","wordCount":1301,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg","caption":"Sending official emails in New Zealand? You’ll need DMARC now","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"Sending official emails in New Zealand? You’ll need DMARC now","item":"https://dmarcreport.com/blog/sending-official-emails-in-new-zealand-youll-need-dmarc-now/"}]} ```