New Zealand Government Rolls Out Secure Email Framework with Mandatory DMARC
The New Zealand Government (NZGov) has introduced a comprehensive new framework titled “Secure Government Email Common Implementation Framework” (SGE) designed to enhance email security across public sector agencies. This new framework and outlines technical guidance and best practices, like DMARC, for protecting email systems against phishing, spoofing and unauthorized use.
You can read the announcement, and view the framework here.
Why the Secure Government Email Framework Matters
The SGE framework aims to:
- Increase the security of external email communications
- Reduce domain spoofing and phishing risks
- Phase out the legacy Secure Encrypted Email (SEEMail) by 2026.
Unlike SEEMail, which is gateway-based and proprietary, the SGE framework uses open standards, making it accessible to all New Zealand government agencies. This transition underscores the government’s commitment to modernizing its email security infrastructure
Core Email Security Standards in the Framework
The SGE Framework provides specific recommendations for implementing modern email security protocols:
- Transmission Security
Implement encryption standards like TLS, MTA-STS, and TLS-RPT to protect email in transit. - Message Integrity
Use DKIM (DomainKeys Identified Mail) to digitally sign emails and validate message integrity. - Sender Verification
Enforce SPF (Sender Policy Framework) to ensure only authorized services can send email on behalf of a domain. - Spoofing Protection
Adopt DMARC (Domain-based Message Authentication, Reporting and Conformance) with a “reject” policy to block fraudulent emails.
DMARC Enforcement Is Now Mandatory
A crucial component of this framework is the requirement for all email-enabled domains to implement DMARC policies set to p=reject.
This policy is pivotal in reducing the risk of domain spoofing and phishing attacks, as it instructs receiving servers to reject emails failing authentication checks.
To maintain strong email hygiene, the framework also calls for the following:
- Regular DMARC reporting
- Ongoing analysis
- Prompt remediation of any issues
What this Means for Government Agencies
By 2026, agencies must retire SEEMail and fully transition to the SGE-compliant model. The shift reflects a broader commitment by the New Zealand government to adopt scalable, open-standard solutions that improve security without relying on proprietary systems.
For many agencies, this will require an overhaul of existing email configurations and third-party service integrations. Agencies that act early will not only reduce their exposure to phishing and impersonation threats, but will be better positioned to meet compliance deadlines without operational disruption. Proactive implementation also enables more time to build internal capability and align with other digital transformation initiatives.
How dmarcian Can Help
As leaders in DMARC implementation and management, dmarcian is uniquely positioned to support New Zealand agencies in meeting these new email security requirements.
Our platform and services include:
- DMARC record setup and configuration
- DKIM, SPF and MTA-STS alignment
- Advanced reporting and incident alerts
Whether you’re just beginning your transition or need help optimizing an existing configuration, our team is ready to assist, complete with a regional presence.
Ready to Get Started?
Contact us today to discuss how we can assist your agency implement and maintain compliance with the New Zealand Government’s Secure Email Framework effectively,efficiently and with confidence.
Get in touch with our Asia-Pacific based team
Want to continue the conversation? Head over to the dmarcian Forum.
