Half of government agencies falling short on email security measures: report

Cybersecurity and compliance company Proofpoint has found that 50% of Australian Government bodies are lagging on basic email cybersecurity measures, subjecting the Australian public, government workers, professionals and other stakeholders to higher risk of email fraud.

These new findings are based on a Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis of 155 primary bodies in the Australian Government spanning the likes of Defence; Home Affairs; Foreign Affairs and Trade; Education; Employee and Workplace Relations; Social Services; Climate Change, Energy, the Environment and Water; Treasury; and Finance. Many of these bodies hold substantial data on the Australian population, plus vital information related to Australia’s security.

DMARC is an email validation protocol designed to protect domain names from being misused by cybercriminals, authenticating senders’ identities before allowing a message to reach its intended destination. It has three levels of protection — monitor, quarantine and reject, with reject being the most secure for preventing suspicious emails from ever reaching an inbox.

The latest study reveals that while 99% of Australian Government bodies use some form of DMARC protection, only half of them deployed the strongest ‘reject’ policy. Alarmingly, 1% of Australian Government bodies do not have any DMARC record at all, leaving them wide open to email fraud and domain-spoofing attacks.

The analysis follows ASIO’s 2025 Annual Threat Assessment, which reports that Australian infrastructure has been routinely targeted by threat actors throughout the past year, with predictions that cyber-enabled sabotage presents an acute concern for Australia, outweighing traditional physical threats. This urgency is underscored by a recent NSW Audit, which found that 27 government agencies in the state reported 152 ‘significant’ cyber threats in 2024, and alarmingly, nearly 30% of local council staff are lacking basic cyber awareness training.

“Government entities are prime targets for cyber adversaries, so this vital gap in cybersecurity measures is surprising and alarming amidst recent large-scale breaches in Australia,” said Steve Moros, Senior Director, Advanced Technology Group, Asia Pacific and Japan at Proofpoint. “While it’s encouraging to see half of Australian Government bodies employing the highest level of DMARC protection, it is concerning to see 50% are still failing to strengthen their defences against email-based threats. Given the increasingly complex threat landscape and geopolitical situation, getting the basics of cybersecurity right must be a top priority to protect government data and the Australian public, and therefore making decisions to implement proven technologies are fundamental steps to improve cyber posture.”

Email remains a primary vector for cyber attacks, with phishing and impersonation schemes constantly evolving. DMARC authentication detects and prevents email spoofing techniques used in phishing, business email compromise (BEC) and other email-based attacks. DMARC, when fully implemented, provides a critical layer of defence by ensuring that only legitimate emails from an organisation’s domain reach their intended recipients. DMARC stands as the only widely deployed technology that makes the sender’s ‘From’ address trustworthy in email communications.

“We’re seeing a decisive move in this direction across the pond, where the New Zealand Government is mandating DMARC enforcement for all government domains under its Secure Government Email (SGE) Framework,” Moros said. “Due to come into force in October, it will ensure a consistent, high level of email authentication, directly countering impersonation and phishing threats that are increasing at scale and sophistication.”

The analysis was conducted in June 2025 using data from 155 primary bodies on the Australian Government Organisations Register.

Image credit: iStock.com/D3Damon