ChannelLife New Zealand - Industry insider news for technology resellers
New Zealand
Guides
#
cloud services
#
cybersecurity
#
distributors
#
microsoft
#
partner programmes
Search
Story image
#
DLP
#
Cybersecurity
#
DMARC

New Zealand mandates DMARC enforcement to secure government email

Thu, 12th Jun 2025
Author image
By Sean Mitchell, Publisher

The New Zealand Government has mandated the implementation of DMARC at p=reject for all government email domains as part of a new Secure Government Email (SGE) framework.

The SGE initiative is designed to strengthen the security of email communications across the country's public sector, replacing the previous SEEMail system with a standards-based and scalable solution. The move forms part of an effort to reduce the threat of phishing, domain spoofing, and other attacks targeting government services and sensitive data.

According to the technical requirements outlined under the SGE framework, agencies are required to operationalise SPF with strict policies, DKIM signing at the final sending server, DMARC at enforcement with full reporting enabled, and to implement MTA-STS at Enforce mode with TLS-RPT enabled. Encrypted email sessions must be secured using TLS 1.2 or higher, and sensitive data must be protected through Data Loss Prevention (DLP) measures. Agencies must conform to these protocols by October 2025 and align their practices with the New Zealand Information Security Manual (NZISM).

Compliance across agencies

The DMARC mandate extends to all government departments, ministries, and agencies that operate email domains, irrespective of whether they send or only receive emails. Agencies that have yet to introduce DMARC and the supporting authentication protocols have been directed to begin audit and implementation processes to satisfy the compliance requirements by the deadline. Those with partial implementations are expected to upgrade policies and introduce continuous monitoring.

The intended outcome of the mandate is to substantially reduce phishing attempts, identity impersonation, and other forms of email-based fraud that target government entities and members of the public. By ensuring that only authenticated emails are delivered, the SGE framework aims to shore up trust in official government correspondence and safeguard citizen data.

Support for transition

PowerDMARC, an email authentication and domain protection platform, has pledged to support New Zealand government agencies in the transition to the new SGE framework. The platform provides tools for the automated deployment of DMARC, SPF, DKIM, MTA-STS, and reporting protocols, coupled with detailed monitoring services to streamline compliance and mitigate the risk of email spoofing.

PowerDMARC says that its solution offers automated policy enforcement, real-time alerts, and guidance closely aligned with NZISM standards. This, the company argues, can help agencies meet new requirements efficiently and securely, without imposing significant additional burdens on internal IT and security teams.

"The shift to SGE marks a critical upgrade in securing New Zealand's public sector communications. With proven email authentication expertise and NZISM-aligned controls, PowerDMARC simplifies this complex transition with automation, real-time visibility, and hands-on support. We help agencies meet compliance faster, reduce spoofing risks, and safeguard sensitive data without straining internal resources," said Maitham Al Lawati, CEO of PowerDMARC.

The SGE policy mandates DMARC in p=reject mode, requiring that any emails failing DMARC checks are actively rejected, rather than being quarantined or allowed through for further examination. This measure is recognised industry-wide as the most stringent standard for sender authentication, reflecting the government's prioritisation of email security.

Phishing and spoofing reduction

Email continues to represent a significant threat vector for phishing, social engineering, and domain impersonation attacks. These tactics are commonly leveraged to bypass perimeter security controls, access sensitive government information, or undermine public trust in official communications. By adopting the SGE's suite of authentication controls and encryption standards, the government aims to eliminate a broad set of vulnerabilities currently present in email transactions.

Government agencies across New Zealand now face a period of audit, upgrade, and testing to ensure all requirements are met ahead of the October 2025 enforcement deadline. Ongoing monitoring and reporting will be critical to maintaining compliance and responding to future email-based threats as tactics and technologies continue to evolve.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Arctic Wolf celebrates top ANZ partners as channel network doubles
Voitec appointed to distribute Heedify Teams console in ANZ
Umbrellar wins Pax8 MVP award for APAC cloud infrastructure
NZ cyber incidents cause NZD $7.8 million loss in early 2025
Fake booking sites push malware as HP warns of click fatigue
Top stories
Nureva unveils HDX pro audio series for large hybrid spaces
GreyOrange partners with LogiQ-On to launch gStore in ANZ markets
Just 3% of New Zealand domains enforce top anti-phishing policy
One New Zealand & Starlink launch nationwide IoT satellite network
Liftoff unveils AppRefinery for app insights & market trends