The SGE framework provides guidance to New Zealand Government agencies on industry practices for securing external email. This will:

• improve the overall security of external email services within the New Zealand Government
• decrease the likelihood of successful spoofing of domains in phishing attacks
• enable the retirement of the SEEMail (Secure Encrypted Email) service.

Service description

The SGE framework is a standards-based email configuration that provides confidentiality, authentication, integrity and non-repudiation for emails between agencies and external partners. This is achieved through Domain Naming System (DNS) security controls, such as:

• Domain-based Message Authentication, Reporting and Conformance (DMARC)
• Domain Keys Identified Mail (DKIM)
• Sender Policy Framework (SPF)
• Message Transfer Agent Strict Transport Security (MTA-STS).

This is also achieved through appropriate Data-Loss Prevention (DLP) settings and email connectors.

How to implement SGE

To implement SGE, participating agencies need to use the DNS standards and email settings listed in the detailed guidance.

Technical assistance and managed-DMARC reporting services

These can be sourced from an approved Marketplace provider in the Infrastructure Managed Services catalogue which is part of the Managed Services channel. These are recently established services and the first suppliers are still in the process of applying to offer this service.

Infrastructure Managed Services catalogue — Marketplace.govt.nz

SEEMail to be decommissioned in 2026

The legacy solution for secure email for government used a proprietary, gateway-based solution called SEEMail. This solution can run in parallel with the SGE framework but is intended to be decommissioned in 2026. SGE is based on open standards and can be applied by any agencies, not just those who have been part of SEEMail.

Restricted Group

Agencies who communicate by email at the RESTRICTED or SENSITIVE level

These agencies must confirm that their ICT services and infrastructure are formally certified and accredited in writing to RESTRICTED. This must be done by either their Chief Information Officer (CIO) or Chief Information Security Officer (CISO). Relevant ICT services and infrastructure include:

• mail gateways
• servers
• storage
• accessing (user) devices
• communications between these systems.

An agency’s request to be part of the Restricted group needs to be endorsed by the Secure Government Email Working Group — formerly the SEEMail Security Working Group. This is a cross-agency group of representatives providing technical oversight to the SGE framework.

The SGE framework includes additional security controls in the form of mail connectors that are required for exchanging RESTRICTED or SENSITIVE information. Other agencies should block information tagged at this level.

SGE Common Implementation Framework (PDF 520KB)

Benefits of SGE

For agencies who implement SGE, this will ensure:

• all traffic between agencies is secured
• no one outside the sending agency can read or alter messages
• confirmation that email is from the sending agency
• spoofing of your domain is detected easily by the receiving party.

Lead agency

Government Chief Digital Office, Department of Internal Affairs | Te Tari Taiwhenua

Responsibilities of the lead agency

• Oversee the continued development of the SGE standards in conjunction with the Email Security Working Group.
• Monitor the public facing SGE configuration information of agencies who were SEEMail members.
• Report any exceptions detected to the SEEMail member agency concerned.

Status

Operational

More information

For more information about implementing SGE, email sge@dia.govt.nz.