Email is still the backbone of how business gets done: invoices, proposals, payroll updates, vendor changes, customer support, and “please wire this today” requests. The problem is that email has historically been built on trust-by-default, and attackers have taken full advantage of that.
New Zealand’s public sector just made a decisive move to counter this: under its Secure Government Email (SGE) framework, government domains are required to enforce DMARC with a policy of p=reject.
Even if you’re not in New Zealand, not in government, and not technical, this matters. It’s a clear signal that governments and organizations are shifting from “hoping email is trustworthy” to “proving it.”
What New Zealand’s mandate actually says (in plain English)
New Zealand’s SGE framework pushes agencies toward modern, open email security standards designed to reduce spoofing and phishing—and it specifically calls for DMARC enforcement at the strictest level.
“DMARC with p=reject” essentially means:
“If an email claims to be from our domain, and it can’t prove it, don’t deliver it.”
That’s the big shift: unauthorized look-alike email gets blocked automatically instead of merely being “flagged” or “treated as suspicious.”
Why this matters to SMB leaders everywhere
1) It’s a leading indicator of where expectations are going
When governments mandate a security control, it usually becomes a baseline expectation for everyone else—especially vendors, partners, and any business that wants reliable email deliverability.
New Zealand is not treating email authentication as a nice-to-have. They’re treating it like infrastructure.
2) It protects your brand from being weaponized
If someone can send an email that looks like it came from your domain, they can:
- trick your customers into paying fake invoices
- impersonate leadership in payroll or HR scams
- damage your reputation (and ability to send legitimate email) in a single afternoon
DMARC is one of the most effective ways to stop that kind of impersonation at the domain level, before it hits inboxes.
3) It helps your real email reach the inbox
As inbox providers and security gateways lean harder into authentication, businesses with strong SPF/DKIM/DMARC posture tend to see fewer deliverability issues because their email is easier to trust.
DMARC, SPF, DKIM — the simple mental model
Here’s the non-technical version:
- SPF is a “permission slip” that says which services are allowed to send email for your domain.
- DKIM is a tamper-evident “seal” on the email that proves it was authorized and wasn’t altered.
- DMARC is the rule that tells receiving systems what to do if an email fails those checks (accept it, quarantine it, or reject it).
Where DIY can get you into trouble
DMARC has levels, and p=reject is the strongest. But you can’t safely jump there without doing the groundwork.
When you set DMARC to p=reject, you’re telling the world to block messages that fail authentication. To avoid accidentally blocking legitimate business email, you must ensure:
- every legitimate sending service is covered by your SPF configuration
- every legitimate sending service is signing mail correctly with DKIM (or otherwise aligning properly)
- your systems are aligned so mail “from” your domain can prove it truly originates from an authorized source
This is why many organizations start in monitoring mode and move gradually to enforcement, because the “surprise” is usually not hackers. . . It’s forgotten systems like CRMs, website forms, ticketing tools, payroll portals, and marketing platforms.
The real takeaway: email authentication isn't something you can wait to sort out later
New Zealand’s move isn’t just a policy change. It’s a public, high-confidence statement that email trust should be verifiable, and that spoofing should be stopped by default.
For SMBs, this is a moment worth acting on—before a partner’s stricter filtering breaks your email flow, or before someone uses your domain to scam your customers.
What to do next
- Find out whether you already have DMARC and what policy it’s set to. (Use our free scanning tool if you don't know.)
- Inventory every system that sends email as you (Microsoft 365/Google Workspace, website forms, CRM, invoicing, support desk, marketing tools).
- Fix SPF/DKIM coverage and alignment, then move toward enforcement in phases.
- Aim for
p=rejectonce you’re confident all legitimate sources are authenticated.
To start this process (or to have us do it for you) check out our Email Authentication Management service.
