Executive summary: New Zealand’s Secure Government Email Framework mandates DMARC at p=reject—plus hard-fail SPF, universal DKIM, enforced MTA-STS, and TLS-RPT—by October 2025. The rules replace SEEMail, curb soaring phishing losses, and affect every organization that emails the public sector.
Key takeaways:
- Hard deadline: All government domains must reach DMARC p=reject and supporting controls by Oct 2025.
- Full stack: SPF “-all,” DKIM signing, MTA-STS enforcement, and TLS reporting now sit alongside DMARC.
- Wider impact: Suppliers and partners must align or risk bounced mail and a reputational hit.
The New Zealand Government has recently published the Secure Government Email (SGE) Common Implementation Framework, a blueprint that includes Domain-based Message Authentication, Reporting & Conformance (DMARC) as a new mandatory step across the public sector. The move replaces the legacy SEEMail gateway (being decommissioned in 2026) with open standards that stop spoofing at the source and align New Zealand with global leaders such as the UK and the US.
Why DMARC and why now?
Email remains the number one attack vector for phishing and Business Email Compromise (BEC). New Zealand CERT figures show year-on-year growth in domain-spoofing incidents, costing citizens and agencies $1.6 billion in 2024. By mandating DMARC enforcement at p=reject, the SGE framework shuts the door on fraudulent messages before they ever reach an inbox, protecting public trust and safeguarding critical services.
Check your record now!
Check your current DMARC, SPF and DKIM record for free with Red Sift Investigate.
MTA-STS gets its own requirement
MTA-STS lets a receiving mail server insist on keeping each SMTP connection encrypted, blocking any attempt to fall back to plaintext. That stance stops STARTTLS-stripping man-in-the-middle attacks designed to force messages into the open for interception. It also verifies the remote server’s MX records and TLS certificate, confirming that mail is handed to the legitimate domain instead of being quietly diverted elsewhere.
Moving forward, MTA records must be defined and set to enforce from October 2025.
What the Secure Email Framework requires
Control | Minimum setting | Deadline* |
SPF | Must end with a hard-fail -all | October 2025 |
DKIM | All outbound email from all sending services must be DKIM signed | October 2025 |
DMARC | DMARC needs to be set to p=reject on all email-enabled domains. Inbound emails must be checked for DMARC compliance and acted on based on the sending domains DMARC policy. | October 2025 |
MTA-STS | An MTA-STS record must be defined and set to enforce. | October 2025 |
TLS Reporting | All email sending domains must have TLS Reporting enabled. | October 2025 |
*All agencies should have lifted their email security standards to be in line with this framework.
The ripple effect for every inbox
Although the mandate targets government domains, its impact extends far beyond. Vendors, councils, tertiary institutes, and NGOs that email the public sector will see stricter filtering in Outlook, Gmail, and NZ-hosted mail systems. Adopting DMARC early ensures deliverability and brand integrity when communicating with citizens and partners.
Five-step action plan to reach p=reject fast
- Discover every domain – Partnering with a dedicated DMARC provider like Red Sift gives you full visibility into every primary, secondary, and legacy domain including parked or redirect records.
- Align SPF & DKIM – With Red Sift OnDMARC, you can ensure all legitimate senders are authorized and signing correctly; remove redundancies.
- Start with p=none, then quarantine, then reject – Graduate through DMARC policies with ease, reaching DMARC enforcement p=reject in just 6-8 weeks.
- Monitor to stay ahead – Ensure you stay protected with Red Sift OnDMARC’s dashboard that highlights unknown sources, forwarding failures, and shadow IT.
- Optimized AI for faster resolution – Our built-in capability LLM Red Sift Radar finds and fixes issues 10x faster, reducing time, costs and headcount.
How Red Sift OnDMARC accelerates compliance
Red Sift has helped thousands of organizations and many government departments (including in New Zealand) deploy DMARC quickly and safely.
Whether you’re a government domain owner or a supplier who can’t risk lost emails, Red Sift OnDMARC gets you to full compliance, with ongoing support from our award-winning Customer Success team. Schedule a quick demo today and see how we turn New Zealand’s Secure Email Framework into a competitive advantage for your organization.
