Just 3% of New Zealand domains enforce top anti-phishing policy

Only 3% of New Zealand domains have implemented full protection against phishing according to new research by EasyDMARC.

EasyDMARC's analysis covered 141,242 domains registered in New Zealand, highlighting a low adoption rate of the strictest email authentication setting known as DMARC at p=reject. DMARC, or Domain-based Message Authentication, Reporting & Conformance, is a protocol designed to verify that emails are legitimately sent by the domain they claim to represent, with the p=reject policy providing the highest available security by blocking unauthorised emails outright.

This scrutiny comes as the government introduces the Secure Government Email Framework, which will require all public sector domains to enforce DMARC at the p=reject setting by October 2025. The requirement targets government domains, but the implications reach across public and private sectors. Non-compliant vendors, councils, NGOs, and universities not only risk delivery failures for legitimate communications, but are also vulnerable to impersonation and phishing incidents.

EasyDMARC's research found that just 24.5% of New Zealand domains have valid DMARC records. Of those, a significant 72.4% use the policy set to none, which only monitors for suspicious activity but does not take any blocking action. Only 3.1%, or 4,327 domains, enforce the p=reject setting, meaning the overwhelming majority of domains are not proactively preventing phishing attacks.

The findings underscore concerns around email-based cyberattacks in the country. Phishing accounts for more than 90% of all cyberattacks globally, giving urgency to calls for more comprehensive enforcement of DMARC policies.

Gerasim Hovhannisyan, CEO of EasyDMARC, stated:

"Most organisations set up DMARC but don't enforce it. By mandating DMARC at its strictest level, p=reject, New Zealand is leading by example, showing that email security only works when enforcement is taken seriously. Too many organisations stop at 'p=none', the weakest DMARC setting, which merely monitors for fraudulent emails without taking action. This creates a false sense of security while leaving the door wide open to phishing attacks. Our research shows that only 9.5% of the top global 1.8 million domains have reached p=reject – the only DMARC policy that actively blocks spoofed emails.

This gap between adoption and proper enforcement is exactly why email remains the most common attack vector. Today's phishing attacks aren't the clumsy scams we used to see. Thanks to AI, they're now flawless, highly targeted messages that look and feel legitimate. We can't expect employees to spot them in a flood of emails, and relying on outdated filters or passive monitoring just isn't enough. Organisations need a system that blocks unauthorised senders before their message even hits the inbox. By enforcing p=reject, New Zealand has built exactly that system for its public sector. Email is still how governments issue updates, how companies close deals, and how people reset passwords. If we can't trust what's in our inboxes, the whole system falters. New Zealand's new email security mandate sets a clear benchmark, and it puts pressure on others to stop pretending that partial implementation is progress."

The Secure Government Email Framework's upcoming mandate intends to standardise security practice across government entities, but the new research suggests most domains - both public and private - are not yet in line with these requirements. EasyDMARC's data shows significant room for improvement if organisations are to protect email communications and comply with incoming regulations.

With New Zealand's digital economy expanding rapidly, the research points to a gap between policy and practice regarding email security, highlighting ongoing challenges for organisations seeking to protect users and data from phishing attacks.