Many of Australia’s government agencies are lacking adequate security on their email systems.
An audit by cybersecurity and compliance company Proofpoint found 50 percent were lagging on basic cybersecurity measures, putting the public, government workers, professionals, and other stakeholders at a higher risk of email fraud.
Proofpoint Advanced Technology Group, Asia Pacific and Japan Senior Director Steve Moros said a Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis was conducted on 155 primary bodies across the Australian government spanning the likes of Defence, Home Affairs, Foreign Affairs and Trade, Education, Employee and Workplace Relations, Social Services, Climate Change, Energy, the Environment and Water, Treasury, and Finance.
Mr Moros said many of these bodies held substantial data on the Australian population, plus vital information related to Australia’s security.
“DMARC is an email validation protocol designed to protect domain names from being misused by cyber criminals, authenticating sender’s identities before allowing a message to reach its intended destination,” he said.
“It has three levels of protection – monitor, quarantine, and reject, with reject being the most secure for preventing suspicious emails from ever reaching an inbox.”
Mr Moros said the latest study revealed that while 99 percent of Australian government bodies used some form of DMARC protection, only half of them deployed the strongest ‘Reject’ policy.
“Alarmingly, 1 percent of Australian government bodies do not have any DMARC record at all, leaving them wide open to email fraud and domain spoofing attacks.”
He said the analysis followed ASIO’s 2025 Annual Threat Assessment which reported Australian infrastructure had been routinely targeted by threat actors throughout the past year, with predictions that cyber-enabled sabotage presented an acute concern for Australia, outweighing traditional physical threats.
“Government entities are prime targets for cyber adversaries, so this vital gap in cybersecurity measures is surprising and alarming amidst recent large-scale breaches in Australia.”
Mr Moros said the full findings of Proofpoint’s DMARC analysis of Australia’s government agencies showed:
- 50 percent of entities had implemented the highest DMARC protection level: Reject.
- 35 percent had a Quarantine policy, meaning suspicious emails were sent to a spam folder.
- 14 percent had a Monitor policy, which only tracks DMARC activity without blocking or quarantining emails.
- 1 percent had no DMARC record at all.
He said best practices for Enhanced Email Security were:
- Check the validity of all email communication and be aware of potentially fraudulent emails impersonating colleagues, suppliers, and stakeholders.
- Be cautious of any communication attempts that request log-in credentials or threaten to suspend service or an account if a link isn’t clicked.
- Adopt phishing-resistant multifactor authentication, such as passkeys.
