Half of Australian government agencies lack top email security

Half of Australian government organisations have not implemented the strongest recommended email security measures, leaving public sector data and communications exposed to risks of email fraud and cyberattacks.

DMARC adoption rates

Research conducted by cybersecurity firm Proofpoint reveals that only 50% of Australian government bodies have implemented the 'reject' policy level of Domain-based Message Authentication, Reporting and Conformance (DMARC), which is the highest level of email authentication protection available. A further 35% of government organisations have set their DMARC policy to 'quarantine,' which results in suspicious emails being sent to a spam folder, while 14% have opted for a 'monitor' policy, which simply tracks DMARC activity without taking proactive action against potentially fraudulent emails. The remaining 1% of entities have not implemented DMARC at all.

DMARC is an email authentication protocol designed to protect organisations from email spoofing, which is often used in phishing or business email compromise attacks. Only when set to the 'reject' policy does DMARC actively prevent suspicious emails from reaching recipients' inboxes.

Scope of the research

The findings are based on data collected in June 2025 from 155 primary bodies listed on the Australian Government Organisations Register. These include departments such as Defence, Home Affairs, Foreign Affairs and Trade, Education, Social Services, and others. Many of these agencies are responsible for large volumes of sensitive data relating to national security and the Australian population.

Proofpoint's research comes shortly after other reports indicating shortfalls in government cybersecurity maturity, including the recent New South Wales Audit, which highlighted that agencies met just 31 per cent of cyber requirements, and that nearly 30% of local council staff lacked basic cyber awareness training.

Email remains a significant threat vector

Email continues to be the predominant channel for the delivery of cyberattacks, particularly through phishing and impersonation schemes. DMARC, when fully configured, adds a layer of security by verifying sender identities and preventing unauthorised use of government domains. Most government entities in Australia have adopted some form of DMARC, but only half are using it at the recommended protection level.

"Government entities are prime targets for cyber adversaries, especially foreign Advanced Persistent Threats (APT), so this vital gap in cybersecurity measures is surprising and alarming amidst recent large-scale breaches in Australia," warns Steve Moros, Senior Director, Advanced Technology Group, Asia Pacific and Japan at Proofpoint. "While it's encouraging to see half of Australian Government bodies employing the highest level of DMARC protection, it is concerning to see 50% failing to strengthen their defences against email-based threats. Government IT is often criticised for lagging behind other sectors in things like digital transformation and integration however, given the and the increasingly complex geopolitical situation, getting the basics of cybersecurity right must be a top priority to protect government data, and the Australian public."

The Australian Security Intelligence Organisation's (ASIO) most recent Annual Threat Assessment echoed these concerns, reporting that Australian infrastructure has been routinely targeted by cyber threat actors over the past year, with cyber-enabled sabotage considered a more acute risk than traditional physical security threats.

International comparisons

Steve Moros highlighted policy developments in neighbouring countries, pointing to New Zealand's planned mandate for DMARC enforcement across all government domains from October under its Secure Government Email Framework. Moros suggested a similar approach in Australia could improve consistency and help safeguard sensitive information held by government entities.

"We're seeing a decisive move in this direction across the pond, where the New Zealand government is mandating DMARC enforcement for all government domains under its Secure Government Email (SGE) Framework. Due to come into force in October it will ensure a consistent, high level of email authentication, directly countering impersonation and phishing threats. Australia should strongly consider emulating this approach to ensure government entities can significantly reduce their attack surface, safeguard sensitive information, and maintain public trust," explains Steve Moros.

Proofpoint's analysis demonstrates the importance of consistent and comprehensive adoption of DMARC protection to counter the evolving nature of email-based threats. The company recommends that government agencies check the validity of all email communications, remain vigilant for fraudulent messages impersonating staff or partners, and implement phishing-resistant multi-factor authentication methods such as passkeys.

The full breakdown from Proofpoint's review of 155 government organisations is as follows: 50% have a DMARC reject policy, 35% are set to quarantine, 14% monitor only, and 1% have not set up DMARC, potentially leaving a gap for would-be attackers.