Skip to main content

Secure Encrypted Email

Secure Encrypted Email (SEEMail) secures email traffic between participating New Zealand public sector agencies. It protects information classified as IN-CONFIDENCE, SENSITIVE or RESTRICTED.

Service description

SEEMail is used by public sector agencies who need secure, encrypted communication.

The SEEMail system is a gateway-to-gateway email service that provides confidentiality, authentication, integrity and non-repudiation for emails between participating agencies and Trusted Partners. This is achieved through signing and encrypting email messages at the SEEMail email gateway and not at the end device such as a user’s PC, laptop or mobile.

How to implement SEEMail

To implement SEEMail, participating agencies need to consume both SEEMail Gateway and SEEMail Public Key Infrastructure (PKI) services. The 2 services work in conjunction with each other, with the SEEMail PKI service delivering the digital certificates needed for the SEEMail Gateways to function.

SEEMail Gateway services can be sourced from an approved SEEMail Gateway provider. SEEMail Gateway providers can be found in the Telecommunications as a Service (TaaS) catalogue.

Only a single provider can provide SEEMail PKI services. Cogito has been contracted by the Department of Internal Affairs (DIA) to be the single provider of SEEMail PKI services, under a TaaS construct. Participating agencies must sign up to Cogito’s SEEMail PKI services as a TaaS service.

The Liverton Security ‘SMARTS’ service provides compliance testing to confirm SEEMail Gateway services are operating to the required SEEMail design standards. This service is procured by the Lead Agency on behalf of all agencies to deliver this required level of ongoing assurance.

SeeMail membership

There are 2 types of SEEMail membership — Standard Group and Restricted Group.

Standard Group

Any SEEMail agency can apply to be a part of the Standard Group. This for agencies who communicate material up to an IN CONFIDENCE level.

Restricted Group

This is for agencies who communicate material at the RESTRICTED/SENSITIVE level and below. To be a part of the Restricted Group, an agency must confirm that their ICT services and infrastructure, including mail gateways, servers, storage, accessing (user) devices, and the communications between these systems, are formally certified and accredited in writing to RESTRICTED by either their CIO/CISO.

An agency’s request to be part of the Restricted Group needs to be endorsed by the SEEMail Security Working Group.


Participating SEEMail agencies utilise SEEMail gateways to sign and encrypt messages using Secure/Multipurpose Internet Mail Extension (S/MIME).

The SEEMail PKI service is used to generate the digital certificates required for the SEEMail Gateway services to function. A secure SEEMail PKI portal provides access for agencies to generate new certificates, replace expiring certificates and revoke unrequired certificates.

The certificates generated by the SEEMail PKI service are used by SEEMail Gateways to digitally sign and encrypt outbound emails and to decrypt and verify signatures for inbound emails.

This ensures:

  • confidentiality through encryption — the email cannot be read in transit
  • integrity — ensuring, through signature verification, that the message has remained unchanged in transit
  • authenticity — through verification of the sender and content
  • non-repudiation — through verification of the signature.

The SMARTS testing service runs, at a minimum, monthly and on demand. It carries out a comprehensive suite of compliance tests on each SEEMail Gateway to confirm that the gateway is operating to the published SEEMail technical standards.


For participating agencies SEEMail ensures:

  • all SEEMail traffic between agencies is secured
  • no one outside the sending agency can alter messages
  • confirmation that email is from the sending agency, and
  • appropriately classified email traffic cannot be inadvertently sent outside the SEEMail community.

Lead Agency

Te Tari Taiwhenua — Department of Internal Affairs (DIA)



Adopting the service

SEEMail PKI and SEEMail Gateway services are available as TaaS services. Agencies do not need to undertake a full procurement process. Lead Agency has commissioned the 2 services within the TaaS construct, allowing agencies to consume it as a TaaS service. TaaS services go through Certification by All of Government Service Delivery.

SEEMail Gateways are also available from Approved SEEMail Providers.

Each agency must subscribe to the Cogito SEEMail PKI service as a TaaS service before SEEMail Gateway services can be consumed.

For instructions on how to initiate the process to procure TaaS service, see:

Telecommunications as a Service (TaaS)

All of Government SEEMail Managed Gateway Supplier information

Agencies can subscribe to All of Government authorised SEEMail Managed Gateway services through TaaS. Authorised SEEMail Managed Gateway service providers are:

  • Liverton Security Limited
  • Datacom Systems Limited
  • One New Zealand Group Limited
  • Spark New Zealand Trading Limited.

If you require further information, email

Other SEEMail Managed Gateway Supplier information

Authorised SEEMail PKI supplier

  • Cogito Group

SEEMail Service suppliers

  • One New Zealand Group Limited
  • Scientific Software & Systems (SSS-IT Security Specialists)

Who to go to for SEEMail support

For general technical and service support, contact your SEEMail Gateway Service Provider.

For technical and service support for the SEEMail PKI service, contact Cogito.

For SEEMail standards, policy, security certification and compliance enquiries, contact DIA.

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated