The New Zealand government has introduced a mandatory Secure Government Email (SGE) Framework, aimed at protecting public sector email from phishing, spoofing, and cyber fraud. One of the central pillars of this initiative is the enforcement of DMARC at a p=reject policy – a move that brings New Zealand in line with cybersecurity best practices adopted by the UK, US, and Australia.

Deadline: All New Zealand government agencies and any organization that communicates with them must be compliant by October 2025.

Why This Framework Matters

In 2024 alone, phishing and spoofing attacks caused an estimated $1.6 billion in damages across New Zealand. Email remains the #1 vector for cyberattacks, and domain spoofing is one of the most exploited vulnerabilities. The SGE Framework is designed to:

• Prevent unauthorized use of government domains
• Protect citizens from fraudulent emails
• Retire the outdated SEEMail system
• Standardize modern email security controls across all agencies

What Is Required by October 2025?

Here are the exact requirements for all email-enabled domains under the new framework:

Who Is Affected?

While the mandate applies to all New Zealand government agencies, its impact goes far beyond the public sector. Any vendors, suppliers, councils, NGOs, and educational institutions that send email to government addresses must ensure their email is properly authenticated, or risk being blocked, quarantined, or flagged as spam.

Enforcement & Monitoring

The All of Government Service Delivery (AoGSD) team will monitor email security compliance across agencies. Changes to DNS records such as shifting SPF from -all to ~all will be flagged and reviewed. This ensures agencies remain protected and aligned with the framework over time.

Your Organization’s 5-Step Action Plan to p=reject

1. Discover Every Domain

Skysnag gives you full visibility into all your domains – including primary, secondary, legacy, parked, and redirect domains – so you can secure every email source from day one.

2. Align SPF & DKIM

Skysnag automatically identifies and validates all legitimate email senders. It helps configure SPF and DKIM properly across all services, eliminating conflicts and reducing risk.

3. Enforce DMARC in Phases

Easily graduate through DMARC policies with Skysnag’s guided approach and fully automated process – from “p=none”, to “p=quarantine”, to “p=reject” – 7x faster with zero disruption.

4. Monitor to Stay Ahead

Skysnag’s intuitive dashboard tracks unknown sources, misconfigurations, forwarders, and shadow IT. You’ll get real-time insights to stay compliant and protected.

5. Fix Issues Faster with AI-Powered Automation

Skysnag’s intelligent automation detects and resolves issues quickly – reducing time, operational overhead, and manual error, so your team can stay focused on higher priorities.

Key Takeaway

The Secure Government Email Framework is a crucial step in modernizing New Zealand’s cybersecurity posture. For businesses that interact with the public sector, email compliance is no longer optional – it’s essential for communication, reputation, and security.

Now is the time to prepare. Align your domain with the framework to safeguard your brand and maintain trusted relationships with government partners.

How Skysnag accelerates compliance

Skysnag has helped thousands of organizations, including government agencies, to implement DMARC quickly, safely, and at scale.

Whether you’re a public sector domain owner or a private vendor struggling with manual configurations and deliverability issues, Skysnag helps you achieve full compliance with the Secure Government Email Framework. Our expert support team is with you every step of the way. Schedule a demo today and see Skysnag in action.

Related Resources

What is Phishing?

Stay Secure This Cyber Week: The Rise of Phishing Attacks