New Zealand has recently published its Secure Government Email (SGE) Framework, a set of technical controls designed to replace the aging SEEMail gateway and bring modern, open-standard authentication to government inboxes.
The guidance requires:
- DMARC at p=reject to prevent spoofing (Strict SPF and DKIM alignment is required)
- SPF to authorize legitimate senders
- DKIM to prevent tampering
- MTA-STS to enforce transit encryption
- TLS version at a minimum of 1.2 to secure session-level communication
- DLP to prevent unauthorized transmission of sensitive information
These requirements will be required for any agency that handles restricted, sensitive, or confidential information. While these agencies are affected first, the SGE framework strongly recommends that every New Zealand government domain follow suit.
This is just another requirement in a long list that all point to a trend: The need for DMARC and stronger email security is growing stronger.
Keep reading, and we’ll discuss these requirements in detail and what they mean for your IT and security teams.
Who’s in scope for these email requirements?
At first glance at these requirements, it may sound like only the sensitive emails apply to these requirements. But this will affect everyone at some level:
| Requirement | Mandatory for | Why it still affects everyone |
| Protect confidential, sensitive, and restricted email | Agencies handling classified data | Any agency that exchanges messages with them must interoperate securely. |
| DMARC at p=reject for every email-enabled domain | Agencies handling classified data, plus any domain the agency uses to send messages | Attackers don’t target only sensitive units; they spoof whatever brand earns clicks. |
| Retirement of SEEMail in 2026 | Current SEEMail users | The SGE framework is the new baseline for New Zealand government domains; even agencies that skipped SEEMail will need a compatible posture to communicate. |
The bottom line is that while enforcement starts with higher-classification agencies, the framework’s October 2025 milestone calls for all agencies to “lift their email security standards” to SGE levels.
What the New Zealand SGE framework requires, in plain language
1. Authenticate the sender
- Sender Policy Framework (SPF): Publish a DNS record that lists every service allowed to send on your behalf, and end it with -all to block the rest.
- DomainKeys Identified Mail (DKIM): Cryptographically sign every outbound message.
- Domain-based Message Authentication, Reporting, and Conformance (DMARC): Align SPF and DKIM, turn on reporting, and set policy to p=reject so fraudulent messages never reach the inbox.
2. Encrypt the channel
- Transport Layer Security (TLS) 1.2 or higher for all connections.
- MTA-STS + TLS-RPT: Force encryption in transit and get feedback if anyone tries a downgrade attack.
3. Protect the content
- Data-Loss Prevention (DLP): Blocks messages that carry data above your clearance level.
Timeline at a glance
What’s the timeline for these New Zealand email requirements? Here’s the tentative timeline according to them:
- June 2025: SGE v1.0 is live; guidance available as a downloadable PDF.
- October 2025: Every applicable agency should have aligned its external email domains with SGE.
- 2026: Legacy SEEMail gateway retires. Agencies that haven’t modernized are at risk of isolation.
What happens if agencies don’t comply with this secure framework?
The All of Government Service Delivery (AoGSD) team will watch DMARC, SPF, and MTA-STS records (DKIM next) and flag any non-compliance. Agencies mandated by this new framework must prove compliance and remediate quickly.
If compliance changes occur, the AoGSD Security team will individually review each case and communicate with the agency to assess whether there was an error or issue.
Five strategic takeaways for IT and security leaders
Now isn’t the time to panic and scramble to meet these compliance requirements. Treat “optional” as “inevitable.” History shows that when one part of the government raises the bar, the rest follows. Getting ahead today beats scrambling later in the year.
It might seem daunting, but if this requirement affects you, here are five strategic takeaways and steps to take next:
- Get the status of your domain’s email authentication using Valimail’s free domain checker.
Check your
domain now
Enter your domain to see if it’s vulnerable to spoofing or if others are sending emails on your behalf. Instantly check your DMARC, SPF, and BIMI status with a detailed security report.
You’re not fully protected, learn more here.
Check your
domain now
Enter your domain to see if it’s vulnerable to spoofing or if others are sending emails on your behalf. Instantly check your DMARC, SPF, and BIMI status with a detailed security report.
You’re not fully protected, learn more here.
Check your
domain now
Enter your domain to see if it’s vulnerable to spoofing or if others are sending emails on your behalf. Instantly check your DMARC, SPF, and BIMI status with a detailed security report.
You’re not fully protected, learn more here.
Your Domain
Not protected AGAINST IMPERSONATION ATTACKS
DMARC NOT AT ENFORCEMENT
exampledomain1.com
Authentication Status for January 10, 2025
DMARC at Enforcement
SPF Record Configured
BIMI Ready
exampledomain1.com
Authentication Status for January 10, 2025
DMARC at Enforcement
SPF Record Configured
BIMI Ready
- Focus on visibility first. DMARC reporting quickly reveals who’s sending on your behalf, and who’s spoofing you. You can do this for free with Valimail Monitor.
- Automate the lift. Manually tuning SPF, DKIM, and DMARC across dozens of SaaS services is error-prone; automation keeps you within the 10-lookup limit and prevents issues down the line.
- Go straight to enforcement. A p=none record offers zero protection. Fast-tracking to p=reject cuts the window attackers can exploit.
- Plan for continuous change. New cloud apps appear weekly. Choose a solution that flags unauthenticated senders before they derail your compliance status.
How Valimail helps New Zealand agencies succeed and meet compliance requirements
Valimail is the leader in DMARC, and we hosted DMARC in 2015. We’ve helped over 80,000 organizations worldwide, including in New Zealand.
We’re the global G2 DMARC leader as well as the G2 DMARC leader in the Asia Pacific region.
“Managing DNS records for SPF was always challenging, with frequent changes and risk of exceeding lookup limits. With Valimail’s automated monitoring and real-time alerts, we now have complete visibility into our SPF record health, ensuring optimal configuration without disruptions. Their proactive approach saves us time and prevents misconfigurations.” – Melvin Joseph, Security Engineer, Ausgrid
Our industry-leading DMARC solutions help you:
- Discover every email sending service by name
- Guides you to p=reject safely with real-time DMARC enforcement insights
- Monitors SPF, DKIM, and DMARC continuously with alerts about email delivery and compliance
- Complements your secure email gateway (SEG). We can authenticate the sender; SEGs will inspect the content to create a layered defense against phishing
So, what next steps should you take to comply with New Zealand email requirements before October 2025?
If you’re ready to dive into full compliance, schedule a demo of Valimail Enforce. We’ll help you quickly get to DMARC enforcement with the help of our product support team.
However, if you want to just get visibility into your sending services to get a status of your compliance, you can sign up for our free DMARC solution: Valimail Monitor. It’s forever-free with no credit card obligations, and you can instantly see all of your sending services and look at your domain underneath the hood. If you like what you see, you can always upgrade your account later.
Ready to meet the New Zealand Secure Government Email Framework ahead of schedule?
