Just 3% of email domains registered in New Zealand are fully protected against phishing attacks. That’s the finding from new research by EasyDMARC, which reveals a wide gap between the nation’s cybersecurity readiness and the New Zealand government’s newly mandated email authentication requirements.

Under the Secure Government Email Framework, all public sector domains must enforce DMARC at its strictest level—p=reject—by October 2025. DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that verifies whether a message is genuinely from the domain it claims to be. At its highest setting, p=reject, DMARC actively blocks phishing and spoofed emails from ever reaching the inbox.

Despite the looming deadline, EasyDMARC’s analysis of 141,242 domains registered in New Zealand paints a concerning picture:

– Only 24.5% (34,566 domains) have valid DMARC records
– 72.4% of those with DMARC are set to p=none, the weakest policy that merely monitors for threats without taking action
– Just 3.1% (4,327 domains) enforce p=reject, the only setting that truly protects against phishing

Marketing Technology News: MarTech Interview With Frans Vermeulen, President @ Swivel (formerly PilotDesk)

While the mandate currently applies to government domains, its implications are far-reaching. Organisations across the public and private sectors—including vendors, universities, NGOs, and local councils—risk both deliverability issues and increased susceptibility to impersonation if they don’t follow suit.

“Most organisations set up DMARC but don’t enforce it,” said Gerasim Hovhannisyan, CEO of EasyDMARC. “By mandating DMARC at its strictest level, p=reject, New Zealand is leading by example and showing that email security only works when enforcement is taken seriously.”

Marketing Technology News: Story-Driven Martech for B2B: Crafting Emotional Narratives in Data-Heavy Industries

He continued: “Too many organisations stop at ‘p=none’, which creates a false sense of security. Our research shows that only 9.5% of the top 1.8 million global domains have adopted p=reject. That gap between implementation and enforcement is exactly why email remains the #1 attack vector.”

With over 90% of cyberattacks starting via phishing, the urgency is clear—especially as phishing emails grow more sophisticated with the help of AI. “They’re no longer clumsy scams,” Hovhannisyan said. “They’re flawless, targeted, and nearly impossible to detect. The only real defense is blocking them at the source. Email is how governments issue updates, how businesses close deals, and how people reset passwords. If we can’t trust our inboxes, the entire system breaks down. New Zealand’s email security mandate sets a powerful precedent—and puts pressure on the rest of the world to stop treating partial implementation as progress.”

EasyDMARC’s full report offers a detailed snapshot of New Zealand’s current email authentication status and highlights the urgent need for accelerated adoption ahead of the government’s 2025 enforcement deadline.