Source: Proofpoint
With less than two months until the government enforcement deadline, the majority of organisations remain exposed to critical vulnerabilities.
SYDNEY, Australia – 13 August 2025 – Proofpoint, Inc., a leading cybersecurity and compliance company, has found that three out of four New Zealand Government organisations have yet to implement the strictest level of email cybersecurity measures, leaving them exposed to risks of email fraud that could impact the New Zealand public, government workers, and stakeholders.
These findings come ahead of the New Zealand Government’s mandate for Domain-based Message Authentication, Reporting and Conformance (DMARC) enforcement for all government domains under its Secure Government Email (SGE) Framework.
The SGE is a stricter approach to protecting government email communications, replacing the previous SEEMail system and is set to take effect in October 2025. However, with less than two months to go until the deadline, the vast majority of government domains are not currently satisfying this requirement.
The new analysis by Proofpoint of DMARC adoption reveals that three quarters (75%) of New Zealand Government organisations have not implemented the recommended and strictest level of DMARC protection – reject – which prevents cyber criminals from spoofing organisations’ identities and reduces the risk of email fraud. DMARC has three levels of protection – monitor, quarantine and reject – with reject being the most secure for preventing illegitimate emails from reaching the inbox.
Proofpoint’s DMARC analysis covered 200 primary organisations in the New Zealand Government spanning sectors such as Defence, Home Affairs, Foreign Affairs and Trade, Education, Employee and Workplace Relations, Social Services, Climate Change, Energy, the Environment and Water, Treasury and Finance. Many of these organisations will hold substantial data on the New Zealand population, plus vital information related to national security.
The findings reveal that while 91.5% of New Zealand Government organisations have adopted the email authentication protocol, only 25.5% of them are implementing it at the highest level by blocking suspicious emails, a requirement of the new SGE framework. Alarmingly 8.5% of New Zealand Government organisations do not have any DMARC record at all, leaving them vulnerable to cyberattacks.
Email remains a primary vector for cyberattacks, with phishing and impersonation schemes constantly evolving. DMARC authentication detects and prevents email spoofing techniques used in phishing, business email compromise (BEC), and other email-based attacks. When fully implemented, DMARC provides a critical layer of defence by ensuring that only legitimate emails from an organisation’s domain reach their intended recipients. DMARC stands as the only widely deployed technology that verifies the sender’s “From” address, ensuring emails are genuinely from the claimed source and not from impersonators.
This analysis follows the National Cyber Security Centre (NCSC) finding that, in the first quarter of 2025 alone, $7.8 million was lost to poor cybersecurity, with New Zealand businesses bearing the brunt of the load – accounting for over half of reported losses.
When compared to government agencies in Australia, New Zealand is significantly behind. 50% of Australian Government domains are protected to the highest level, and only 1% have no DMARC record at all – meaning at least 99% have implemented basic protections. Since a single compromised agency can be impersonated, protecting every government domain and identity is critical.
“Mandating DMARC is an important step in the right direction and puts New Zealand in line with a number of countries who have taken this approach,” explains Steve Moros, Senior Director, Advanced Technology Group, Asia Pacific and Japan at Proofpoint. “Government entities are and always will be prime targets for cyber adversaries, so ensuring email domains are secure is critical to reducing the attack surface, safeguarding sensitive information, and maintaining public trust.”
The full findings of Proofpoint’s DMARC analysis of New Zealand’s Government agencies shows:
- 25.5% of New Zealand Government entities have implemented the highest DMARC protection level: Reject.
- 12% have a Quarantine policy, meaning suspicious emails are sent to a spam folder.
- 54% have a Monitor policy, which only tracks DMARC activity without blocking or quarantining emails.
- 8.5% have no DMARC record at all.
Best Practices for Enhanced Email Security:
- Check the validity of all email communication and be cautious of potentially fraudulent emails impersonating colleagues, suppliers, and stakeholders.
- Be cautious of any communication attempts that request log-in credentials or threaten to suspend service or an account if a link isn’t clicked.
- Adopt phishing-resistant multifactor authentication, such as passkeys.
About Proofpoint, Inc.
Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organizations of all sizes, including 85 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at www.proofpoint.com.
