The New Zealand Government has introduced the Secure Government Email (SGE) Framework to guide agencies on securing external email using industry best practices. To implement SGE, DMARC at p=reject is now mandatory for all email-enabled domains, along with SPF, DKIM, and MTA-STS.

While SEEMail worked for years, it had limits in scaling, working with external partners, and keeping up with modern email security standards. The new SGE framework aims to improve email security, minimize spoofing, and enable the retirement of the SEEMail (Secure Encrypted Email) service. You can view the official document for more information on this.

Deployment Timeline: By October 2025, all government agencies must upgrade their email security to meet the standards of this framework.

Key Takeaways

New Zealand mandates DMARC for government agencies under the SGE framework.
Agencies must retire SEEMail and fully adopt SGE by October 2025
SPF, DKIM, MTA-STS, and TLS 1.2 are also required.
Early adoption reduces spoofing risks and ensures smooth compliance.
PowerDMARC offers automated tools and managed services to simplify New Zealand DMARC adoption and enforcement.

What Is the Secure Government Email (SGE) Framework?

Secure Government Email (SGE) is a New Zealand Government framework that protects email communication between government agencies and external partners. It follows the security guidelines set by the New Zealand Information Security Manual (NZISM) and is designed to protect information classified as sensitive.

In simple terms, the SGE framework:

Follows strict guidelines to protect sensitive information
Makes it harder for cyber attackers to spoof government domains
Improves the overall email information security
Replaces the older SEEMail service

Key Technical Requirements for Implementing SGE

The SGE implementation guide outlines the following critical requirements and deployment timelines for agencies:

For All Email-Enabled Domains:

DMARC to prevent spoofing

DMARC implementation is now mandatory with policy set to p=reject, and DMARC reporting enabled. Strict SPF & DKIM alignment mode is recommended.

SPF to authorize legitimate senders

SPF must be implemented with SPF record ending with -all (hardfail).

DKIM to prevent tampering

DKIM signing must be applied at the last MX server in the sending flow.

MTA-STS to enforce encryption in transit

MTA-STS must be implemented at “Enforce” policy, and TLS-RPT must be enabled for monitoring on encryption failures.

TLS to secure session-level communication

TLS must be implemented with a minimum version requirement of 1.2 or higher.

DLP to prevent unauthorized transmission of sensitive information

DLP implementation must follow agency requirements, aligned with NZISM.

For Non-Sending Domains/Subdomains:

Publish the SPF record: “v=spf1 -all”
Publish the DKIM record: “v=DKIM1; p=”
Publish the DMARC record: “V=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:<your email address>;”

Compliance Monitoring

For the SGE framework, the AoGSD oversees the implementation and compliance monitoring. The AoGSD team will monitor how well agencies follow the new email security framework. This includes checking settings like SPF, DMARC, and MTA-STS, with DKIM to be added later.

How It Impacts Government Agencies

Here’s how the transition to the SGE framework will affect government agencies:

SEEMail replacement: SEEMail must be retired; agencies must adopt the new SGE Framework model
Modernization: Transition to open-standard, and scalable email security solutions
Enhanced domain security: Early adoption can reduce spoofing and phishing attacks
Secure external communications: Ensures sensitive information is protected when communicating with external partners
Improved Compliance: Aligns agency practices with NZISM controls and national security standards
Operational Efficiency: Proactive implementation minimizes disruption and supports broader digital transformation initiatives

SEEMail vs. SGE

Feature	SEEMail	SGE
Purpose	Secure encrypted email within NZ government agencies	Standards-based secure email for internal and external communication
Authentication Protocols	Not consistently implemented	DMARC (p=reject), SPF, DKIM with strict alignment enforced
Encryption in Transit	Proprietary encryption via SEEMail infrastructure	MTA-STS with TLS 1.2+ encryption required
Interoperability	Limited to SEEMail-participating agencies	Compatible with external partners and modern email systems
Email Visibility	Limited visibility and reporting	Full visibility via DMARC reports and TLS-RPT
Compliance Monitoring	Centralized but narrow in scope	AoGSD monitors for compliance across all email security settings
Deployment Model	Centralized encrypted email platform	Decentralized, open-standard, domain-level policy enforcement
Status	Legacy system, being phased out	Mandatory implementation by October 2025

How PowerDMARC Supports This Transition

PowerDMARC supports and simplifies this transition for the New Zealand public sector agencies through managed DMARC deployment services.

The SGE framework requires rigorous policy enforcement, which while beneficial, can result in deliverability issues if done incorrectly.

We help you:

Set up DMARC, SPF, DKIM, and MTA-STS easily through automated tools
Enforce DMARC policies safely without breaking deliverability

Pass SPF and DKIM alignments
Monitor your email traffic through easy-to-read reports

Get Started Today

PowerDMARC works with government agencies around the world to meet local and international security standards. Contact us today to begin your SGE compliance journey with confidence!

About
Latest Posts

Ahona Rudra

Domain & Email Security Expert at PowerDMARC

Ahona is the Marketing Manager at PowerDMARC, with 5+ years of experience in writing about cybersecurity topics, specializing in domain and email security. Ahona holds a post-graduation degree in Journalism and Communications, solidifying her career in the security sector since 2019.

New Zealand Government Mandates DMARC Under New Secure Email Framework