New Zealand Government Mandates DMARC Under New Secure Email Framework

The New Zealand Government has introduced the Secure Government Email (SGE) Framework to guide agencies on securing external email using industry best practices. To implement SGE, DMARC at p=reject is now mandatory for all email-enabled domains, along with SPF, DKIM, and MTA-STS.

While SEEMail worked for years, it had limits in scaling, working with external partners, and keeping up with modern email security standards. The new SGE framework aims to improve email security, minimize spoofing, and enable the retirement of the SEEMail (Secure Encrypted Email) service. You can view the official document for more information on this.

Deployment Timeline: By October 2025, all government agencies must upgrade their email security to meet the standards of this framework.

Key Takeaways

New Zealand mandates DMARC for government agencies under the SGE framework.
Agencies must retire SEEMail and fully adopt SGE by October 2025
SPF, DKIM, MTA-STS, and TLS 1.2 are also required.
Early adoption reduces spoofing risks and ensures smooth compliance.
PowerDMARC offers automated tools and managed services to simplify New Zealand DMARC adoption and enforcement.

What Is the Secure Government Email (SGE) Framework?

Secure Government Email (SGE) is a New Zealand Government framework that protects email communication between government agencies and external partners. It follows the security guidelines set by the New Zealand Information Security Manual (NZISM) and is designed to protect information classified as sensitive.

In simple terms, the SGE framework:

Follows strict guidelines to protect sensitive information
Makes it harder for cyber attackers to spoof government domains
Improves the overall email information security
Replaces the older SEEMail service

Key Technical Requirements for Implementing SGE

The SGE implementation guide outlines the following critical requirements and deployment timelines for agencies:

For All Email-Enabled Domains:

DMARC to prevent spoofing

DMARC implementation is now mandatory with policy set to p=reject, and DMARC reporting enabled. Strict SPF & DKIM alignment mode is recommended.

SPF to authorize legitimate senders

SPF must be implemented with SPF record ending with -all (hardfail).

DKIM to prevent tampering

DKIM signing must be applied at the last MX server in the sending flow.

MTA-STS to enforce encryption in transit

MTA-STS must be implemented at “Enforce” policy, and TLS-RPT must be enabled for monitoring on encryption failures.

TLS to secure session-level communication

TLS must be implemented with a minimum version requirement of 1.2 or higher.

DLP to prevent unauthorized transmission of sensitive information

DLP implementation must follow agency requirements, aligned with NZISM.

For Non-Sending Domains/Subdomains:

Publish the SPF record: “v=spf1 -all”

Publish the DKIM record: “v=DKIM1; p=”

Publish the DMARC record: “V=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:;”

Compliance Monitoring

For the SGE framework, the AoGSD oversees the implementation and compliance monitoring. The AoGSD team will monitor how well agencies follow the new email security framework. This includes checking settings like SPF, DMARC, and MTA-STS, with DKIM to be added later.

How It Impacts Government Agencies

Here’s how the transition to the SGE framework will affect government agencies:

SEEMail replacement: SEEMail must be retired; agencies must adopt the new SGE Framework model

Modernization: Transition to open-standard, and scalable email security solutions

Enhanced domain security: Early adoption can reduce spoofing and phishing attacks

Secure external communications: Ensures sensitive information is protected when communicating with external partners

Improved Compliance: Aligns agency practices with NZISM controls and national security standards

Operational Efficiency: Proactive implementation minimizes disruption and supports broader digital transformation initiatives

SEEMail vs. SGE
Feature
SEEMail
SGE
Purpose Secure encrypted email within NZ government agencies Standards-based secure email for internal and external communication Authentication Protocols Not consistently implemented DMARC (p=reject), SPF, DKIM with strict alignment enforced Encryption in Transit Proprietary encryption via SEEMail infrastructure MTA-STS with TLS 1.2+ encryption required Interoperability Limited to SEEMail-participating agencies Compatible with external partners and modern email systems Email Visibility Limited visibility and reporting Full visibility via DMARC reports and TLS-RPT Compliance Monitoring Centralized but narrow in scope AoGSD monitors for compliance across all email security settings Deployment Model Centralized encrypted email platform Decentralized, open-standard, domain-level policy enforcement Status Legacy system, being phased out Mandatory implementation by October 2025
How PowerDMARC Supports This Transition

PowerDMARC supports and simplifies this transition for the New Zealand public sector agencies through managed DMARC deployment services.

The SGE framework requires rigorous policy enforcement, which while beneficial, can result in deliverability issues if done incorrectly.

We help you:

Set up DMARC, SPF, DKIM, and MTA-STS easily through automated tools

Enforce DMARC policies safely without breaking deliverability

Pass SPF and DKIM alignments

Monitor your email traffic through easy-to-read reports

Get Started Today

PowerDMARC works with government agencies around the world to meet local and international security standards. Contact us today to begin your SGE compliance journey with confidence!

*** This is a Security Bloggers Network syndicated blog from PowerDMARC authored by Ahona Rudra. Read the original post at: https://powerdmarc.com/new-zealand-secure-government-email/

Tags

New Zealand Government Mandates DMARC Under New Secure Email Framework