The New Zealand Government has introduced the Secure Government Email (SGE) Framework to guide agencies on securing external email using industry best practices. To implement SGE, DMARC at p=reject is now mandatory for all email-enabled domains, along with SPF, DKIM, and MTA-STS.
While SEEMail worked for years, it had limits in scaling, working with external partners, and keeping up with modern email security standards. The new SGE framework aims to improve email security, minimize spoofing, and enable the retirement of the SEEMail (Secure Encrypted Email) service. You can view the official document for more information on this.
Deployment Timeline: By October 2025, all government agencies must upgrade their email security to meet the standards of this framework.
Key Takeaways
- New Zealand mandates DMARC for government agencies under the SGE framework.
- Agencies must retire SEEMail and fully adopt SGE by October 2025
- SPF, DKIM, MTA-STS, and TLS 1.2 are also required.
- Early adoption reduces spoofing risks and ensures smooth compliance.
- PowerDMARC offers automated tools and managed services to simplify New Zealand DMARC adoption and enforcement.
What Is the Secure Government Email (SGE) Framework?
Secure Government Email (SGE) is a New Zealand Government framework that protects email communication between government agencies and external partners. It follows the security guidelines set by the New Zealand Information Security Manual (NZISM) and is designed to protect information classified as sensitive.
In simple terms, the SGE framework:
- Follows strict guidelines to protect sensitive information
- Makes it harder for cyber attackers to spoof government domains
- Improves the overall email information security
- Replaces the older SEEMail service
Key Technical Requirements for Implementing SGE
The SGE implementation guide outlines the following critical requirements and deployment timelines for agencies:
For All Email-Enabled Domains:
- DMARC to prevent spoofing
DMARC implementation is now mandatory with policy set to p=reject, and DMARC reporting enabled. Strict SPF & DKIM alignment mode is recommended.
- SPF to authorize legitimate senders
SPF must be implemented with SPF record ending with -all (hardfail).
- DKIM to prevent tampering
DKIM signing must be applied at the last MX server in the sending flow.
- MTA-STS to enforce encryption in transit
MTA-STS must be implemented at “Enforce” policy, and TLS-RPT must be enabled for monitoring on encryption failures.
- TLS to secure session-level communication
TLS must be implemented with a minimum version requirement of 1.2 or higher.
- DLP to prevent unauthorized transmission of sensitive information
DLP implementation must follow agency requirements, aligned with NZISM.
For Non-Sending Domains/Subdomains:
- Publish the SPF record: “v=spf1 -all”
- Publish the DKIM record: “v=DKIM1; p=”
- Publish the DMARC record: “V=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:<your email address>;”
Compliance Monitoring
For the SGE framework, the AoGSD oversees the implementation and compliance monitoring. The AoGSD team will monitor how well agencies follow the new email security framework. This includes checking settings like SPF, DMARC, and MTA-STS, with DKIM to be added later.
How It Impacts Government Agencies
Here’s how the transition to the SGE framework will affect government agencies:
- SEEMail replacement: SEEMail must be retired; agencies must adopt the new SGE Framework model
- Modernization: Transition to open-standard, and scalable email security solutions
- Enhanced domain security: Early adoption can reduce spoofing and phishing attacks
- Secure external communications: Ensures sensitive information is protected when communicating with external partners
- Improved Compliance: Aligns agency practices with NZISM controls and national security standards
- Operational Efficiency: Proactive implementation minimizes disruption and supports broader digital transformation initiatives
SEEMail vs. SGE
| Feature | SEEMail | SGE |
|---|---|---|
| Purpose | Secure encrypted email within NZ government agencies | Standards-based secure email for internal and external communication |
| Authentication Protocols | Not consistently implemented | DMARC (p=reject), SPF, DKIM with strict alignment enforced |
| Encryption in Transit | Proprietary encryption via SEEMail infrastructure | MTA-STS with TLS 1.2+ encryption required |
| Interoperability | Limited to SEEMail-participating agencies | Compatible with external partners and modern email systems |
| Email Visibility | Limited visibility and reporting | Full visibility via DMARC reports and TLS-RPT |
| Compliance Monitoring | Centralized but narrow in scope | AoGSD monitors for compliance across all email security settings |
| Deployment Model | Centralized encrypted email platform | Decentralized, open-standard, domain-level policy enforcement |
| Status | Legacy system, being phased out | Mandatory implementation by October 2025 |
How PowerDMARC Supports This Transition
The SGE framework requires rigorous policy enforcement, which, while beneficial, can result in deliverability issues if done incorrectly.
PowerDMARC supports and simplifies this transition for the New Zealand public sector agencies through managed DMARC deployment services.
1. Automated SPF, DKIM, DMARC Implementation
We can help New Zealand government agencies swiftly implement complex protocols without the technical know-how, through intelligent and automated DNS record generation tools. The platform also supports one-click automatic DNS record publishing to fast-track the implementation process and reduce manual work.
2. Guided DMARC & MTA-STS Policy Enforcement
Enforcing your policies can be daunting and can lead to unwanted deliverability issues if done incorrectly. We provide a guided environment for New Zealand public sector agencies to enforce DMARC and MTA-STS policies, with expert support at every stage!
3. SPF Error Handling
SPF records are prone to errors due to limitations enforced by the IETF. When using third-party services, it becomes difficult to keep under these DNS lookup and character length limits. We offer agencies a zero-touch, automatic SPF optimization service through Hosted SPF. Integrating Macros allows you to minimize SPF errors significantly.
4. Simplified DMARC & TLS Reporting
Organizations and agencies often find it difficult to read and understand complex DMARC XML reports and JSON reports for TLS-RPT. We simplify this as well! Visual dashboards, human-readable data, and advanced filtering options allow agencies to monitor with confidence.
5. Continuous Alignment Monitoring
DMARC alignment failures are major red flags. It typically signals a spoofing or impersonation attempt! Our dashboard clearly displays alignment failures for DMARC, SPF, and DKIM, highlighting underlying issues. This helps agencies stay on top of suspicious activities!
6. ESP Compliance Management
As Google, Yahoo, and Microsoft have cracked down on their email security requirements, DMARC is no longer optional for bulk senders. We help agencies meet and manage compliance, ensuring sensitive government correspondence lands safely in inboxes.
Get Started Today
PowerDMARC works with government agencies around the world to meet local and international security standards. Contact us today to begin your SGE compliance journey with confidence!
