Skip to content.
|Networking government in New Zealand.
You are here: Home » Services » SecureMail (SecMX) » SecureMail -Business

SecureMail -Business

Providing a means for people and government agencies to exchange information electronically.

Information for Businesses

To print the information on this page, download the file: PDF [188 KB] or Word [504 KB].

Government is encouraging the deployment of SecureMail by businesses so that agencies can securely exchange messages with them.

For a business, the value proposition for providing SecureMail is anticipated to be:

Convenience: SecureMail will be an easier way for government, people and business to send a message, where previously they have used letters and other channels because of security concerns. Some message types that are expected to use SecureMail include:

  • Adhoc messages from customers, such as enquiries for personal information;
  • Notifications to customers, such as statements or personalised promotions; and
  • Transactional messages, as part of a process, such as interaction with a supplier: purchase orders - invoices - remittance advices - receipt.

Automation of tasks: SecureMail will help enable the development of new transactional applications. Processing of structured messages (such as invoices) can be integrated with business applications, potentially reducing the time staff spend on routine tasks.

Improved service for customers: SecureMail offers several opportunities for a business to improve service:

  • There is an increasing volume of messages with faked FROM: addresses generated by spammers or automated viruses. SecureMail provides a high level of assurance that the FROM: address has not been faked, meaning filters and automated rules can be applied in highly effective ways. A business will be able to prioritise authenticated SecureMail messages over the rest, where appropriate.
  • A business will be able to assure its customers that messages are being sent and received with greater security than normal Internet email.

SecureMail system

The diagram below demonstrates how the SecureMail system will work for a business. For simplicity, multiple instances of each organisation are not shown.

On the left, it shows a large business using its own Gateway to send/receive SecureMail messages to the Internet. Other technical configurations for small and medium businesses are represented on the right of the diagram.

On the right, the diagram shows three types of receivers:
On the top right, a Gateway Service Provider provides a Gateway to a Mail Service Provider, who in turn provides mail store services to lots of people and small organisations. In addition, the Gateway Service Provider offers a gateway service to medium organisations with their own mail store.

On the bottom right, a Gateway/Mail Service Provider provides their own Gateway and mail store services to many people and small businesses.

On the middle right, the diagram also shows how a large organisation can use its own Gateway to send/receive secure messages over the Internet, without any service provider intervention.

One configuration option for SecureMail is to only have a single government Service Provider. Effectively, this option would require the establishment of a centralised all-of-government webmail service. This option is not currently being considered, but is included for completeness.

securemail for businesses diagram

SecureMail deployment - an overview

Before deploying SecureMail, a business will need to consider:

  • Business and legal topics: There will be legal and business topics to consider from a business’s use of SecureMail for communicating with government, businesses and people.
  • Business processes: A business’s existing processes may need to be re-designed to work with SecureMail.
    • Technical architecture: A business’s existing technical architecture may need to be reconfigured to work with SecureMail.

To use SecureMail, a business will need to organise access, by installing its own Gateway, contracting the service from a Gateway Service Provider or obtaining a SecureMail mailbox from a Mail Service Provider.

Option 1: Own Gateway: A business requiring its own Gateway will need to:

  • Acquire a Gateway: Select, install and test an accredited SecureMail Gateway. Gateways can be acquired from SecureMail accredited vendors. Once installed, the Gateway must pass site certification tests. Gateways also need to perform regular automated testing and to be upgraded in a timely fashion, as amendments to the SecureMail requirements are notified;
  • Join SecureMail: A business will need to sign the SecureMail Membership Agreement. This Agreement sets out the terms that apply to using SecureMail, such as complying with the SecureMail requirements;

Option 2: Contracted Gateway: A business can use the service of a Gateway Service Provider. The Gateway Service Provider will impose SecureMail requirements for security and interoperability on the business.

Option 3: Obtaining a SecureMail mailbox: A business can obtain a SecureMail mailbox from an accredited SecureMail service provider. Note: Many businesses may have an ISP that is an accredited SecureMail service provider, in which case, their ISP may be able to upgrade their mailbox to a SecureMail mailbox.

To deploy SecureMail, a business willl need to:

  • Comply with SecureMail requirements: Be responsible for maintaining security and interoperability in accordance with the SecureMail Membership Agreement or those terms that their Service Provider imposes on them.
  • Impose SecureMail requirements: Impose applicable SecureMail requirements on employees and contractors, and ensure relevant security matters are reported and actioned.

To operate SecureMail, a business will need to:

  • Continue to comply with SecureMail requirements: Continue to maintain security and interoperability in accordance with the SecureMail Membership Agreement or those terms that their Service Provider imposes on them. Where a business has its own Gateway, deploying SecureMail will also place an obligation on a business to undertake regular testing of their Gateway and to upgrade their Gateway in a timely fashion, as amendments to the SecureMail requirements are notified.

Business topics to consider

Before deploying SecureMail a business will need to consider how SecureMail will impact on its business processes. Some of the topics that need to be considered are outlined below. The topics fall into three categories:

  • Topics related to using SecureMail for dealing with customers;
  • Topics related to having a SecureMail gateway; and
  • Topics related to providing SecureMail for personal use, to staff and contractors.

Dealing with Customers

Verify SecureMail address: Existing customers who wish to use SecureMail to communicate with a business will have to go through a process to change their contact information (from a postal address, to an email address).

A business may require the mailbox holder to identify him or herself to a level sufficient for a particular type of transaction to be carried out, such as providing a form of photo ID. The mailbox holder’s Mail Service Provider might choose to provide a service to simplify this process.

Customer accountability: SecureMail does not identify the person who sent the email – it authenticates the FROM: address. Some customers may share a SecureMail email address.

In some cases, depending on the nature of the transaction, a business may require the customer to acknowledge they are the only person using the mailbox (ie it is not a mailbox to which other people have access). The customer’s Mail Service Provider might choose to provide a service to simplify this process.

A business may require strong authentication to give a higher assurance of accountability - such a business will have to assist customers who require this.

Staff obligations: Staff are responsible for all authorised use of a SecureMail mailbox. It is important to safeguard access to the mailbox and do not share it. If the SecureMail mailbox is used for high value or high-risk transactions, then a more secure form of authentication, other than username/password, may be necessary.

Value added services: A business is free to develop value-added services as they see fit. Such services must not compromise SecureMail. In some situations, such as developing structured message formats, then a business will be encouraged to develop standards for the whole of New Zealand.

Service level expectations: The Internet has raised service level expectations about messages. Customer expectations need to be carefully managed to ensure realistic targets for things such as response times. A business may need a quality assurance process to ensure consistent style and content in communications sent via paper mail, and those sent via SecureMail.

Because people and business may find it easier to send emails than to write letters, the volume of correspondence may grow. This growth may highlight or exacerbate problems with existing business processes or infrastructure.

Prioritisation of SecureMail: A business may prioritise SecureMail messages (which are likely to have a very low junk email ratio because of the authentication of the sender’s email address) over non-SecureMail messages, to deal with the increasing volume junk mail.

Education: A business will need to consider what extra information and support its staff and customers need to use this new technology. For instance, it may have to advise its customers not to access SecureMail through insecure public access points, unless they can use a more secure form of strong authentication.

Delivery receipt: SecureMail will return a delivery receipt if requested. This indicates the message has been successfully delivered, unlocked and verified by the organisation responsible for handling the receiver’s messages. This feature is not a read receipt – for an important transaction, the business may have to request an acknowledgement from the receiver, that the message has come to the recipient’s attention.


Having a Gateway

Contact information: A business will need generic contact information, kept up-to-date with the SecureMail administrator. This information cannot contain personally identifiable information, but rather < securemailadmin@business.co.nz > and a phone number.

Gateway obligations: A business running their own Gateway will be expected to maintain compliance with the SecureMail interoperability and security requirements.

They will require staff with experience in the operational issues that arise if message encryption fails. For example, if a Gateway fails, then until a new Gateway is implemented, all the arriving encrypted messages cannot be delivered. A significant upstream queuing facility may be required to store incoming messages. If the agency’s decryption key is lost, then messages are useless – there must be a robust process to ensure the key is backed up securely and available in a timely fashion when required.

Sovreignty: A business must ensure SecureMail messages from government are protected for the public interest and to preserve personal privacy. To ensure New Zealand laws protect such SecureMail messages, a business will not be able to use facilities outside of New Zealand to handle SecureMail, i.e. a business is only allowed to store such messages in New Zealand and send those messages over the New Zealand part of the Internet.

Mail server obligations: A business must ensure that any SecureMail message it sends, has an authenticated FROM: address and can be linked to an accountable sender.

SecureMail has minimum standards for authentication. A business must support username/password access to a mailbox.

Online authentication: It is expected that any authentication mechanism used within SecureMail will be consistent with the Best Practice Framework for Authentication.


Personal Use

Personal use: A business will need to determine how its employees and contractors will use SecureMail. For example, a business may allow SecureMail for personal use. In such situations, it is recommended a separate mailbox/email address be used e.g. myname@personaluse.business.co.nz AND that information be categorised with [PERSONAL].


Each business will need to make its own evaluation of the business issues around using SecureMail.


Legal topics to consider

Before deploying SecureMail a business will need to consider how SecureMail will impact on it from a legal perspective. Some of the legal topics that need to be considered are outlined below.

Electronic transactions: A business will need to:

  • obtain consent from its customers for communications involving legal requirements that are subject to the Electronic Transactions Act;
  • determine the time at which the business and the addressee legally receive SecureMail messages; and
  • if SecureMail messages are used to meet existing legal requirements, assess how to achieve this purpose.

Privacy: As with any communication, SecureMail messages and associated information, such as operation logs, will be subject to Privacy Act obligations.

Crimes: If an interception, copying, accessing or interference offence is committed in relation to SecureMail messages or the associated SecureMail environment, a business should take appropriate action.

Human rights: A business that deploys SecureMail must continue to provide alternative communication channels.

Employee/Contractors: A business must ensure that obligations are imposed on employees and contractors through agreements. Some topics to consider include ensuring that they:

  • are not permitted to use SecureMail for unlawful purposes; and
  • understand whether they are allowed to use SecureMail for personal purposes.

A business needs to make its own evaluation of the legal issues around using SecureMail.


Back to top