In a noble move to bolster national cybersecurity, the New Zealand Government has mandated the adoption of Domain-based Message Authentication, Reporting, and Conformance (DMARC) across all government agencies. This initiative is part of the newly introduced Secure Government Email (SGE) Common Implementation Framework. Its goal is to modernise and standardise email security practices across the public sector.
In fact, Google, Yahoo, and Apple made the trend towards mandatory email authentication clear last year. Earlier this year (April 2025), Microsoft announced new authentication requirements for high-volume emails from their Outlook consumer domains.
Email remains the top vector for cyberattacks, with phishing and spoofing attacks causing an estimated $1.6 billion in damages in New Zealand in 2024 alone. The SGE Framework is designed to:
- Prevent unauthorised use of government domains
- Protect New Zealand citizens from fraudulent emails
- Retire the outdated SEEMail (Secure Encrypted Email) service
- Align with international cybersecurity best practices
While DMARC is already well-known among government IT professionals, the SGE Framework raises the bar with stricter policies, mandatory reporting, and encryption requirements.
When configured with a “p=reject” policy and strict alignment, DMARC ensures that only verified senders (including users and applications) can send on behalf of your domain. But it also demands a high degree of accuracy in your domain configuration—or risk service interruptions.
This shift means DMARC is no longer optional or experimental. It’s a critical infrastructure requirement, affecting every service that sends email, from procurement systems to payroll.
Key requirements under the SGE Framework
By October 2025, all New Zealand government agencies must comply with the following. While the mandate applies directly to agencies, organizations that communicate with them should align their practices to ensure reliable email deliverability.
- DMARC. Must be set to p=reject for all domains, with strict alignment (adkim=s) recommended. This requires tying SPF and DKIM together with policy and providing reporting, of which a DMARC reporting tool is required.
- SPF. Sender policy framework records must end with -all (hard fail) to ensure only authorised servers and services can send messages from your domain.
- DKIM. All outbound emails must be signed with DomainKeys Identified Mail, provide limited nonrepudiation, and ensure messages are not altered in transit.
- MTA-STS. Mail Transfer Agent Strict Transport Security must be enabled, enforcing encryption on all inbound messages from supported sending domains.
- TLS. Session level encryption with minimum version 1.2 must be used for all email communications.
- TLS-RPT. TLS reporting must be enabled to monitor encryption failures.
- DLP. Data loss prevention controls must align with the NZ Information Security Manual (NZISM), ensuring messages marked with classifications higher than INCONFIDENCE are blocked.
Challenges and considerations
While the mandate directly targets New Zealand government agencies, its ripple effects extend to:
- Vendors and suppliers
- Local councils and NGOs
- Educational institutions
- Any organisation sending email to or using government domains
Non-compliant emails risk being blocked, quarantined, or flagged as spam. This means that email deliverability can potentially be affected. In other words, people might not receive emails if they are not compliant. This will be particularly important for domains that represent agencies which send high volumes of user or application emails.
In addition to deliverability, there are other challenges that come with implementing email authentication. Even with a seasoned team, DMARC deployment at scale is complex. Common challenges include:
- Legitimate services being blocked due to misaligned SPF/DKIM
- Project slowdowns due to lack of internal coordination
- Limited visibility into third-party senders or shadow IT
- Unexpected authentication failures from dynamic mail flows, as seen in marketing, ticketing, customer relationship management systems
How Proofpoint can help
New Zealand’s DMARC mandate is a necessary step toward a more secure and trustworthy digital government. By enforcing strict email authentication standards, the country is not only protecting its agencies but also setting a strong example for others to follow.
Proofpoint is the industry leader in DMARC deployment. Many of the world’s largest companies and government organisations turn to our proven experts to secure user and application emails. Proofpoint provides more than just tools to help you understand email authentication, deliverability, and supplier risk. The true advantage of working with us is the expert guidance offered by our experienced consultants who have been on the DMARC journey with others, including multiple state government rollouts across Australia.
“We found the expertise offered by Proofpoint consultants to be very valuable. Having someone who has implemented DMARC for a variety of different businesses and has already worked with and understands various email marketing vendors was key to putting email fraud defence in place at scale.” – Healthcare organisation
Learn more
- Read our guide on Getting Started with DMARC.
- Request an Email Deliverability Assessment for your organisation.
- Watch our recent webinar “Strengthening New Zealand Government Email” on-demand.
