New Zealand Government Secure Email Framework with Mandatory DMARC
Announcement: As of November 25, 2025, dmarcian is now officially available on the New Zealand Government Marketplace, enabling public sector agencies to streamline procurement while working towards compliance with the New Zealand Government Secure Framework (SGE). Our local team is ready to support you in meeting the requirements and maintaining client trust.
The New Zealand (NZ) Government has introduced a comprehensive framework, Secure Government Email (SGE), designed to enhance email security across public sector agencies. This new framework outlines technical guidance and best practices, like DMARC, for protecting email systems against phishing, spoofing and unauthorized use.
You can read the announcement, and view the framework here.
Why the Secure Government Email Framework Matters
The SGE framework aims to:
- Increase the security of external email communications
- Reduce domain spoofing and phishing risks
- Phase out the legacy Secure Encrypted Email (SEEMail) by 2026.
Unlike SEEMail, which is gateway-based and proprietary, the SGE framework uses open standards, making it accessible to all NZ government agencies. This transition underscores the government’s commitment to modernizing its email security infrastructure
Core Email Security Standards in the Framework
The SGE Framework provides specific recommendations for implementing modern email security protocols:
- Transmission Security
Implement encryption standards like TLS, MTA-STS, and TLS-RPT to protect email in transit. - Message Integrity
Use DKIM (DomainKeys Identified Mail) to digitally sign emails and validate message integrity. - Sender Verification
Enforce SPF (Sender Policy Framework) to ensure only authorized services can send email on behalf of a domain. - Spoofing Protection
Adopt DMARC (Domain-based Message Authentication, Reporting and Conformance) with a “reject” policy to block fraudulent emails.
DMARC Enforcement Is Now Mandatory
A crucial component of this framework is the requirement for all email-enabled domains to implement DMARC policies set to p=reject.
This policy is pivotal in reducing the risk of domain spoofing and phishing attacks, as it instructs receiving servers to reject emails failing authentication checks.
To maintain strong email hygiene, the framework also calls for the following:
- Regular DMARC reporting
- Ongoing analysis
- Prompt remediation of any issues
New Zealand Government DMARC Adoption
Of the 468 New Zealand government email-enabled domains we surveyed, 44% were equipped with enforcement policies of p=quarantine or p=reject, yet the majority, 56%, are not protected by DMARC’s foundational defense. Here are the full results:
- 17% have no DMARC record and do not have the visibility needed to secure their domains.
- 39% have a record at the p=none monitoring phase, which marks the initiation of DMARC deployment.
- 14% have a DMARC enforcement policy of p=quarantine, the penultimate policy progression preceding p=reject.
- 30% are at the p=reject enforcement policy and take full advantage of the protection DMARC offers.
“With the SGE Framework deadline just three months away, I was expecting to see more evidence of agencies making a start on implementation,” says our Australia-based APAC Business Unit Director Tass Kalfoglou. “In the initial phase of a DMARC deployment, one should catalogue their domain list and set up reporting. This foundational step allows you to define the scope of the work required. Starting early also gives you the benefit of time, reducing the risk of mistakes and building a comprehensive data history that gives greater confidence when you’re ready to move to DMARC enforcement.”
Of the domains we studied, 12% had problematic DMARC records, including seven percent lacking an RUA tag, the core of DMARC reporting. The RUA tag specifies an email address for aggregate reports, which provide a comprehensive view of a domain’s traffic along with DKIM and SPF authentication results. At a minimum, domain owners should configure their DMARC record to receive RUA reports; without them, valuable XML reports produced by receiving email servers are lost in the ether, and you can’t see what’s happening with your domains.
SPF record issues were reflected in 20% of the domains. The most common problems we observed in NZ government domains were lack of SPF records, too many DNS lookups and syntax errors.
“The errors and warnings our audit identified are typically simple to resolve but can be easily missed without a dedicated DMARC management solution,” Tass continues. “Our platform provides a holistic visualization of your email infrastructure, bringing these misconfigurations to your immediate attention. Some of these warnings pose a significant risk, capable of leaving you vulnerable even with a p=reject policy in place.”
What this Means for Government Agencies
By 2026, agencies must retire SEEMail and fully transition to the SGE-compliant model. The shift reflects a broader commitment by the New Zealand government to adopt scalable, open-standard solutions that improve security without relying on proprietary systems.
For many agencies, this will require an overhaul of existing email configurations and third-party service integrations. Agencies that act early will not only reduce their exposure to phishing and impersonation threats, but will be better positioned to meet compliance deadlines without operational disruption. Proactive implementation also enables more time to build internal capability and align with other digital transformation initiatives.
Based on my experience in environments where DMARC is mandated, I anticipate a last-minute rush to achieve compliance. There’s a clear distinction between taking on a task willingly and being forced into it. Individuals may not fully grasp the importance of this work or may lack the necessary resources to complete it on time.”
—Tass Kalfoglou, dmarcian APAC Director
How dmarcian Can Help
As leaders in DMARC implementation and management, dmarcian is uniquely positioned to support New Zealand agencies in meeting these new email security requirements.
Our platform and services include:
- DMARC record setup and configuration
- DKIM, SPF and MTA-STS alignment
- Advanced reporting and incident alerts
Whether you’re just beginning your transition or need help optimizing an existing configuration, our team is ready to assist, complete with a regional presence.
Ready to Get Started?
Contact us today to discuss how we can assist your agency implement and maintain compliance with the New Zealand Government’s Secure Email Framework effectively, efficiently and with confidence.
Get in touch with our Asia-Pacific based team
Want to continue the conversation? Head over to the dmarcian Forum.
