New Zealand moves to mandate DMARC enforcement

Executive summary: New Zealand’s Secure Government Email Framework mandates DMARC at p=reject—plus hard-fail SPF, universal DKIM, enforced MTA-STS, and TLS-RPT—by October 2025. The rules replace SEEMail, curb soaring phishing losses, and will affect every organization that emails the public sector.

Key takeaways:

  • Hard deadline: All government domains must reach DMARC p=reject and supporting controls by Oct 2025.
  • Full stack: SPF “-all,” DKIM signing, MTA-STS enforcement, and TLS reporting now sit alongside DMARC.
  • Wider impact: Suppliers and partners must align or risk bounced mail and reputational hit.

The New Zealand Government has recently published the Secure Government Email (SGE) Common Implementation Framework, a blueprint that includes Domain-based Message Authentication, Reporting & Conformance (DMARC) as a new mandatory step across the public sector. The move replaces the legacy SEEMail gateway (being decommissioned in 2026) with open standards that stop spoofing at the source and aligns New Zealand with global leaders such as the UK and the US.

Why DMARC and why now?

Email remains the number one attack vector for phishing and Business Email Compromise (BEC). New Zealand CERT figures show year-on-year growth in domain-spoofing incidents, costing citizens and agencies $1.6 billion in 2024. By mandating DMARC enforcement at p=reject, the SGE framework shuts the door on fraudulent messages before they ever reach an inbox, protecting public trust and safeguarding critical services.

Check your record now!

Check your current DMARC, SPF and DKIM record for free with Red Sift Investigate.

MTA-STS gets its own requirement

MTA-STS lets a receiving mail server insist on keeping each SMTP connection encrypted, blocking any attempt to fall back to plaintext. That stance stops STARTTLS-stripping man-in-the-middle attacks designed to force messages into the open for interception. It also verifies the remote server’s MX records and TLS certificate, confirming that mail is handed to the legitimate domain instead of being quietly diverted elsewhere.

Moving forward, MTA records must be defined and set to enforce from October 2025. 

What the Secure Email Framework requires

Control
Minimum setting
Deadline*
SPF
Must end with a hardfail -all 
October 2025
DKIM
All outbound email from all sending services must be DKIM signed
October 2025
DMARC
DMARC needs to be set to p=reject on all email enabled domains.
Inbound emails must be checked for DMARC compliance and acted on based on the sending domainsDMARC policy.
October 2025
MTA-STS
An MTA-STS record must be defined and set to enforce.
October 2025
TLS Reporting
All email sending domains must have TLS Reporting enabled.
October 2025

*All agencies should have lifted their email security standards to be in line with this framework.

The ripple effect for every inbox

Although the mandate targets government domains, its impact extends far beyond. Vendors, councils, tertiary institutes, and NGOs that email the public sector will see stricter filtering in Outlook, Gmail, and NZ-hosted mail systems. Adopting DMARC early ensures deliverability and brand integrity when communicating with citizens and partners.

Five-step action plan to reach p=reject fast

  1. Discover every domain – Partnering with a dedicated DMARC provider like Red Sift gives you full visibility into every primary, secondary, and legacy domains including parked or redirect records.
  2. Align SPF & DKIM – With Red Sift OnDMARC, you can ensure all legitimate senders are authorised and signing correctly; remove redundancies.
  3. Start with p=none, then quarantine, then reject – Graduate through DMARC policies with ease, reaching DMARC enforcement p=reject in just 6-8 weeks.
  4. Monitor to stay ahead – Ensure you stay protected with Red Sift OnDMARC’s dashboard that highlights unknown sources, forwarding failures, and shadow IT.
  5. Optimized AI for faster resolution – Our built-in capability LLM Red Sift Radar finds and fixes issues 10x faster, reducing time, costs and headcount.

How Red Sift OnDMARC accelerates compliance

Red Sift has helped thousands of organizations and many government departments (including in New Zealand) deploy DMARC quickly and safely. 

Whether you’re a government domain owner or a supplier who can’t risk lost emails, Red Sift OnDMARC gets you to full compliance, with ongoing support from our award winning Customer Success team. Schedule a quick demo today and see how we turn New Zealand’s Secure Email Framework into a competitive advantage for your organization. 

PUBLISHED BY

Jack Lilley

27 May. 2025

SHARE ARTICLE:

Recent Posts

VIEW ALL
BIMI

VMC and CMC: What’s the difference?

Jack Lilley

Executive Summary: Staying updated on Verified Mark Certificates (VMCs) and Certified Mark Certificates (CMCs) is crucial for organizations aiming to authenticate their logos and enhance brand trust in email communications. Discover the key changes in the latest security requirements and compare the differences between VMCs and CMCs.​ This article: Introduction Verified Mark Certificates (VMCs) and…

Read more
BEC

The future of email security: Innovations, challenges, and the role of DMARC

Jack Lilley

Executive summary: Email remains a critical tool for business and personal communication, but it is also a primary target for cyber threats such as phishing, spoofing, and Business Email Compromise. As attackers become more sophisticated, organizations must adopt advanced security measures like DMARC and stay informed about emerging authentication protocols. Industry collaboration and proactive…

Read more
Aviation

Why implementing DMARC is essential for Aviation

Jack Lilley

If you’re in aviation and still haven’t locked down your email security, you’re taking a serious risk. Cyberattacks on airlines, airports, and aerospace companies are up 131% in just one year. Phishing and Business Email Compromise (BEC) scams are hammering the industry, costing millions, causing chaos, and damaging customer trust. Attackers aren’t just targeting…

Read more
News

Red Sift Brand Trust joins Cisco portfolio to extend domain and brand…

Francesca Rünger-Field

Many organizations have implemented email authentication and hardened their owned domains against abuse. But a more exposed and less controlled surface remains: the brand. With the ease and efficiency of AI tools, brand impersonation has become a successful tactic for bypassing technical controls and targeting users directly. While email authentication protocols like DMARC can…

Read more