DMARC is now mandatory in New Zealand: Here’s what the NZ government expects
Most countries have already made DMARC enforcement mandatory, especially for government agencies (after all, that’s where the real threats lie). But New Zealand wasn’t on this list until now!
Things have changed with the introduction of the Secure Government Email (SGE) framework. Designed for public sector agencies responsible for sending official emails and engaging with citizens, vendors, and external partners, this new framework sets clear expectations for securing email systems. The goal is to bring consistency and close long-standing gaps in email protection. Agencies are expected to implement the SGE framework by October 2025.
Now, to be fair, NZ wasn’t completely ignoring the issue before. It had SEEMail, which worked well at the time, but now that the threat landscape has evolved, it falls short. That’s why SGE was introduced.
More than being an upgrade to SEEMail, the latest version demonstrates how the government’s approach and priorities towards cybersecurity are also evolving. It’s no longer about ticking off a checkbox but actively protecting critical communication against new-age attacks like phishing and spoofing.
Now let’s see what the SGE framework is all about and what the New Zealand government expects under this framework:
What is the new Secure Government Email (SGE) framework?
The Secure Government Email (SGE) framework is New Zealand’s updated system to protect government emails. It lays down clear rules to help agencies keep sensitive information safe and stop attackers from faking official email addresses, which has become a major problem lately. Before SGE, agencies were using SEEMail, which worked well for a time. But as email threats like phishing and spoofing became more advanced, SEEMail struggled to keep up. It also had limitations in working with external partners and didn’t scale well. Now, its place has been taken over by stronger security measures— SGE, which is more in line with what’s needed today.
What it essentially does is:
- Follows strict security standards to protect sensitive data.
- Prevents attackers from impersonating government agencies.
- Improves coordination between agencies and external partners.
What is the Secure Government Email (SGE) framework all about?
We now know that SGE is a stricter and more modern approach to protecting government email communication. Let’s see what it actually entails and what it is that government organizations have to follow to be compliant:
For all domains that send emails
- DMARC: This is the primary requirement laid out by the New Zealand Information Security Manual or NZISM. As per the SGE framework, organizations must implement DMARC and set the policy to p=reject. This stops unauthorized emails from getting through. Another thing, they should also enable reporting to keep track of any issues or suspicious activity.
- SPF: For DMARC to work efficiently, government agencies should also set up SPF (Sender Policy Framework) and ensure that their SPF records end with “-all”, which tells the receiving server to reject any email that doesn’t come from an approved source.
- DKIM: DomainKeys Identified Mail (DKIM) also plays a key role in strengthening email ecosystems. It adds a digital signature to each outgoing message, which helps verify that the content hasn’t been altered in transit. According to the SGE framework, this signature should be applied at the last mail server before the message is sent out.
- MTA-STS and TLS-RPT: With MTA-STS (Mail Transfer Agent Strict Transport Security) your organization can ensure that your official emails are only sent over secure, encrypted channels. As per SGE, agencies should set the policy to “Enforce.” Moreover, they must also turn on TLS-RPT (Transport Layer Security Reporting) to receive reports when there are issues with email encryption.
- TLS: Another important aspect of SGE is Transport Layer Security (TLS), and it is required for all email communication, with a minimum version of 1.2.
- DLP: Since government agencies deal with a lot of sensitive data, it is important that they have proper Data Loss Prevention (DLP) measures in place. This ensures that important information doesn’t get exposed and fall into the wrong hands, be it by mistake or otherwise.
For domains that don’t send emails
NZISM laid out rules also for domains that don’t even send emails, after all, they know that it can still be exploited by attackers. So, it’s important to secure all domains, not just the ones in use.
- The SPF record should be set to ‘-all’ so that no one is allowed to send emails from the particular domain.
- The DKIM record should also have a placeholder public key, like “v=DKIM1; p=” to prevent attackers from publishing their own key.
- Even DMARC should be set at the strictest level. The record should look like this: v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:<your email address>;
Compliance Monitoring
Yes, setting up the SGE framework is crucial, but staying compliant is just as important. The AoGSD team (All-of-Government Security Delivery) is responsible for ensuring that this happens. They’ll regularly check if agencies have the right settings in place, like SPF, DMARC, and MTA-STS. DKIM will be added to this list soon. With these checks, they keep a tab on every agency to ensure they are doing what needs to be done to secure their email communication.
What should you do next?
If you’re part of a government agency in New Zealand, this is the time to review your email security. Start by addressing the basics, like implementing SPF, DKIM, and DMARC. If you haven’t fully enforced DMARC yet, begin with a lenient policy and then gradually move to a stricter policy, such as “p=reject”. Also, don’t forget to turn on DMARC reporting so you can monitor what’s happening with your domain and catch any issues early.
With October just around the corner, now is the right time to check your current setup, fix any gaps, and make sure your agency is fully aligned with the SGE requirements.
So, if you want to protect your email communications and sensitive data from attackers, contact us today!