Lack of consistency across Australian Government bodies leaves critical vulnerabilities in the public sector and exposes the Australian public to risks of email fraud

SYDNEY, Australia – 24 July 2025 – Proofpoint, Inc., a leading cybersecurity and compliance company, has found that 50% of Australian Government bodies are lagging on basic cybersecurity measures, subjecting the Australian public, government workers, professionals, and other stakeholders to higher risk of email fraud.

These new findings are based on a Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis of 155 primary bodies in the Australian Government spanning the likes of Defence, Home Affairs, Foreign Affairs and Trade, Education, Employee and Workplace Relations, Social Services, Climate Change, Energy, the Environment and Water, Treasury, and Finance. Many of these bodies hold substantial data on the Australian population, plus vital information related to Australia’s security. DMARC is an email validation protocol designed to protect domain names from being misused by cyber criminals, authenticating sender's identities before allowing a message to reach its intended destination. It has three levels of protection – monitor, quarantine, and reject, with reject being the most secure for preventing suspicious emails from ever reaching an inbox.

The latest study reveals that while 99% of Australian Government bodies use some form of DMARC protection, only half of them deployed the strongest ‘Reject’ policy. Alarmingly, 1% of Australian Government bodies do not have any DMARC record at all, leaving them wide open to email fraud and domain spoofing attacks.

The analysis follows ASIO's 2025 Annual Threat Assessment which reports that Australian infrastructure has been routinely targeted by threat actors throughout the past year, with predictions that cyber-enabled sabotage presents an acute concern for Australia, outweighing traditional physical threats. This urgency is underscored by a recent NSW Audit, which found that 27 government agencies in the state reported 152 "significant" cyber threats in 2024, and alarmingly, nearly 30% of local council staff are lacking basic cyber awareness training.

"Government entities are prime targets for cyber adversaries, so this vital gap in cybersecurity measures is surprising and alarming amidst recent large-scale breaches in Australia," warns Steve Moros, Senior Director, Advanced Technology Group, Asia Pacific and Japan at Proofpoint. “While it's encouraging to see half of Australian Government bodies employing the highest level of DMARC protection, it is concerning to see 50% are still failing to strengthen their defences against email-based threats. Given the increasingly complex threat landscape and geopolitical situation, getting the basics of cybersecurity right must be a top priority to protect government data, and the Australian public and therefore making decisions to implement proven technologies are fundamental steps to improve cyber posture."

Email remains a primary vector for cyberattacks, with phishing and impersonation schemes constantly evolving. DMARC authentication detects and prevents email spoofing techniques used in phishing, business email compromise (BEC), and other email-based attacks. DMARC, when fully implemented, provides a critical layer of defence by ensuring that only legitimate emails from an organisation's domain reach their intended recipients. DMARC stands as the only widely deployed technology that makes the sender’s “From” address trustworthy in email communications.

"We're seeing a decisive move in this direction across the pond, where the New Zealand government is mandating DMARC enforcement for all government domains under its Secure Government Email (SGE) Framework. Due to come into force in October, it will ensure a consistent, high level of email authentication, directly countering impersonation and phishing threats that are increasing at scale and sophistication. As the cyber landscape continues to evolve, the consideration of comparable measures by other governments could enhance the necessary resilience of public sector communications, protecting critical data, and sustaining public confidence," explains Steve Moros.

The full findings of Proofpoint's DMARC analysis of Australia’s Government agencies shows:

• 50% of Australian Government entities have implemented the highest DMARC protection level: Reject.
• 35% have a Quarantine policy, meaning suspicious emails are sent to a spam folder.
• 14% have a Monitor policy, which only tracks DMARC activity without blocking or quarantining emails.
• 1% have no DMARC record at all.

Best Practices for Enhanced Email Security:

• Check the validity of all email communication and be aware of potentially fraudulent emails impersonating colleagues, suppliers, and stakeholders.
• Be cautious of any communication attempts that request log-in credentials or threaten to suspend service or an account if a link isn’t clicked.
• Adopt phishing-resistant multifactor authentication, such as passkeys.

This analysis was conducted in June 2025 using data from 155 primary bodies on the Australian Government Organisations Register.

###

About Proofpoint, Inc.  

Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organizations of all sizes, including 85 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at www.proofpoint.com.  

Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.