50% of Australian Government Agencies Are Missing Essential Email Security Measures

Research conducted by cybersecurity firm Proofpoint reveals that half of Australian government organisations have not implemented the strongest recommended email security measures, leaving public sector data and communications vulnerable to email fraud and cyberattacks. Only 50% of these entities have adopted the ‘reject’ policy level of Domain-based Message Authentication, Reporting and Conformance (DMARC), which is the highest level of email authentication protection available. An additional 35% have set their DMARC policy to ‘quarantine,’ directing suspicious emails to spam folders, while 14% have chosen a ‘monitor’ policy that merely tracks DMARC activity without taking proactive measures against potentially fraudulent emails. The remaining 1% of organisations have not implemented DMARC at all, exposing them to significant risks.

The findings are based on data collected in June 2025 from 155 primary bodies listed on the Australian Government Organisations Register, including departments such as Defence, Home Affairs, Foreign Affairs and Trade, Education, and Social Services. Many of these agencies handle large volumes of sensitive data related to national security and the Australian population. Proofpoint’s research follows other reports indicating deficiencies in government cybersecurity maturity, such as the recent New South Wales Audit, which revealed that agencies met only 31% of cyber requirements and that nearly 30% of local council staff lacked basic cyber awareness training. Email remains a significant threat vector, as it is the primary channel for cyberattacks, particularly through phishing and impersonation schemes. 

Categories: Email Security, Cybersecurity Maturity, Government Vulnerabilities 

Tags: Email Security, DMARC, Cybersecurity, Phishing, Government Organisations, Email Authentication, Cyber Threats, Sensitive Data, Cyber Awareness, Advanced Persistent Threats