SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Digital illustration secure email envelope padlock new zealand map outline
#
Data Protection
#
Advanced Persistent Threat Protection
#
Email Security

Most NZ government bodies not ready for strict email security law

Fri, 15th Aug 2025
Author image
By Melvin Hipolito, Editor

Proofpoint research shows that 75% of New Zealand Government organisations have yet to implement the highest standard of email cybersecurity required by upcoming regulations.

With the introduction of the Secure Government Email (SGE) Framework due in October 2025, all New Zealand Government domains must enforce the Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol at the strictest 'reject' level. DMARC is an email validation system designed to authenticate the sender's identity, preventing misuse of email domains by cyber criminals.

Proofpoint's analysis, based on a review of data from 200 organisations listed in the New Zealand Government Organisations Register, indicates that 8.5% of government organisations still lack any DMARC record. This gap leaves them open to potential impersonation and phishing attacks. Only 25.5% of organisations have adopted the mandatory 'reject' setting, which is regarded as the most secure because it blocks suspicious emails from reaching inboxes. More than half, 54%, are operating on a 'monitor' policy, which observes DMARC activity but does not actually stop or quarantine dubious emails.

The research highlights that government agencies across sectors including Defence, Home Affairs, Foreign Affairs and Trade, Education, Social Services, and Treasury and Finance all fall within the scope of the analysis. Many of these agencies manage sensitive data concerning the New Zealand population and national security interests.

Proofpoint identifies DMARC as comprising three levels of protection: monitor, quarantine, and reject. Currently, besides the 25.5% using reject, 12% have set their policy to quarantine, meaning suspicious messages are redirected to a spam folder but are not blocked outright. The remainder are either monitoring only or not participating in DMARC at all.

Failure to comply with the SGE requirements exposes government bodies to significant risks. These include email fraud targeting the New Zealand public, potential compromise of government employees, and exposure of sensitive state information. The Tertiary Education Commission was recently affected, with its emails being used in a scam targeting 56,000 people.

Email-based cyber threats continue to escalate, with the National Cyber Security Centre (NCSC) reporting in the first quarter of 2025 that NZD $7.8 million was lost due to poor cybersecurity, with businesses absorbing over half these losses. New Zealand's government lagging in DMARC adoption increases broader national vulnerabilities, as a singled-out agency with lax protections could be impersonated, putting public trust at risk.

"Mandating DMARC is an important step in the right direction and puts New Zealand in line with a number of countries who have taken this approach," explains Steve Moros, Senior Director, Advanced Technology Group, Asia Pacific and Japan at Proofpoint. "Government entities are and always will be prime targets for cyber adversaries, so ensuring email domains are secure is critical to reducing the attack surface, safeguarding sensitive information, and maintaining public trust."

DMARC represents the only widely deployed solution validating the sender's "From" address, ensuring messages truly originate from the claimed source and not an imposter. When enforced at the reject policy level, it prevents illicit emails from entering recipients' inboxes by confirming their authenticity at the server level.

Proofpoint's findings show that New Zealand is behind Australia in this respect. In Australia, 50% of government organisations enforce the reject policy, and only 1% lack any DMARC record, implying that at least 99% have implemented some level of protection. With digital attacks growing in sophistication, the disparity underlines the urgency with which New Zealand's government agencies must close their cybersecurity gaps.

Proofpoint recommends best practices for reinforcing email security. These suggestions include scrutinising all official email communications, being alert to requests for credentials or threats of service suspensions tied to clicking links, and adopting phishing-resistant multifactor authentication mechanisms such as passkeys.

The analysis from Proofpoint was conducted in July 2025 and spans the range of New Zealand governmental operations, highlighting the challenge of meeting the SGE deadline and the need for swift action to protect both official information and public confidence in government messaging channels.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Phishing services drive 389% surge in account breaches
isVerified launches AI voice deepfake defence for execs
ChatGPT drives bulk of enterprise generative AI data risk
BioCatch warns AI agents will supercharge online fraud
Hayo boosts mobile registry to combat SIM swap fraud

Top stories

Executive-level CISO titles surge amid rising scope strain
Asimily boosts Cisco ISE with new device microsegmentation
Cyb3r Operations raises $5.4m to tackle cyber risk
Deepfake boom fuels relentless wave of celebrity scams
Visionplatform.ai adds AI agents to Milestone XProtect