Secure Encrypted Email
Secure Encrypted Email (SEEMail) secures email traffic between participating New Zealand public sector agencies. It protects information classified as IN-CONFIDENCE, SENSITIVE or RESTRICTED.
Service description.
SEEMail is used by public sector agencies who need secure, encrypted communication.
The SEEMail system is a gateway-to-gateway email service that provides confidentiality, authentication, integrity and non-repudiation for emails between participating agencies and Trusted Partners. This is achieved through signing and encrypting email messages at the SEEMail email gateway and not at the end device such as a user’s PC, laptop or mobile.
For participating agencies SEEMail ensures:
- all SEEMail traffic between agencies is secured.
- no one outside the sending agency can alter messages.
- confirmation that email is from the sending agency, and
- appropriately classified email traffic cannot be inadvertently sent outside the SEEMail community.
Email Error Messages
Secure Electronic Environment Mail (SEEMail) secures email traffic over the internet between participating New Zealand Government Agencies.
SEEMail encryption of emails occurs at the gateway as an email leaves or arrives at the organisation.
SEEMail automatically limits the transmission on emails so that only the applicable SEEMail participant agencies can receive the email. This is achieved through the use of the trigger words (also known as SEEMail tags). At HUD we enforce this through email classification. This can be manually applied to emails and / or documents by typing the appropriate classification in the email subject, body, or the most common attachment types:
- Microsoft Excel Spreadsheet
- Microsoft PowerPoint Presentation
- Microsoft Publisher
- Microsoft Word Document
- Plain Text
- Portable Document Format (PDF)
Trigger Terms
SEEMAIL
TRUSTED
IN-CONFIDENCE
IN CONFIDENCE
SENSATIVE
RESTRICTED
Common SEEMail error messages
- #1A - NOT SEEMail
- #1C - Contains RESTRICTED
- #2A - UNVERIFIED SEEMAIL
- #4A - NOT SEEMail
- #5A - UNVERIFIED INTERNAL
- #300 – UNABLE TO SIGN MESSAGE
SEEMail Warning #1A - NOT SEEMail
You may have tried to send a message that contains a SEEMail trigger word to an address that is NOT a SEEMail member (They do not use SEEMail).
This message has not been delivered to ANY EXTERNAL recipients.
Recommended action: Decide whether the security classification of the information you are sending requires SEEMail protection.
- YES = send by other secure means
- NO = remove the SEEMail trigger word from the message
Explanation
In this case, a SEEMail Tag is present in either the email you have tried to send, or in your attachment. The Data Loss Prevention (DLP) features are preventing the email from leaving the system, on the basis that the classification of the material should not be sent to a recipient who is not a SEEMail agency (such as a private company).
By removing the SEEMail trigger word(s) from the message or attachment, you are affirming that the message is not classified above IN-CONFIDENCE and that the recipients are authorised to receive the message. Do so with care.
SEEMail Warning #1C - Contains RESTRICTED
You have tried to send a message that contains a RESTRICTED trigger word to a non-RESTRICTED SEEMail member.
This message has not been delivered to ANY EXTERNAL recipients.
Recommended action: Send your message using another transport method which is accredited to the appropriate level.
Explanation
In this situation, the receiving agency is a member of SEEMail but is a member of the SEEMail Standard Community. This prevents then receiving information classified as RESTRICTED (or SENSITIVE, which has similar handling rules). You will be unable to send the information to this recipient via SEEMail (or email).
The sender cannot send this message electronically due to its sensitivity and that the agency who needs the information does not have the required network security clearance. The parties involved must decide how they can physically share the information, or the stakeholders must decide to re classify the information to an appropriate level. HOWEVER, CAUTION SHOULD BE APPLIED IN THIS SITUATION.
Reclassification of information to an inappropriate classification level can have serious consequences. General management should authorize this.
SEEMail Warning #2A - UNVERIFIED SEEMAIL SENDER
This message did not come from the apparent sender's agency. The confidentiality, integrity or authenticity of the message cannot be guaranteed.
Explanation
This means an email with an address that is from a domain name associated with a SEEMail agency, has come in from another source (not from the authorised SEEMail gateway).
Common reasons for this may be:
- Mail Forwarding rules or Mailing lists which receive an email and then forward it to one or more recipients.
- Automated systems such as websites located on the Internet, that send data via email with the sender's address belonging to an agency but did not come from an agency SEEMail gateway.
- Genuinely forged email senders, impersonating an agency.
When this error is received, a copy of the original email will be attached.
Unless the sender is known to the recipient and the recipient can confirm that they are expecting this email, the email should be deleted, and the email address investigated and possibly blocked.
SEEMail Warning #4A - NOT SEEMail
This message contains a SEEMail trigger word but did not arrive from a SEEMail agency. The confidentiality, integrity or authenticity of the message cannot be guaranteed.
Possible causes of this warning include:
- The sender mistakenly thinks their agency has SEEMail and has put the SEEMail trigger word in the message.
- The sender has accidentally referred to the SEEMail trigger word in the message.
Explanation
In this case the email has come in from a non SEEMail party but contains one of the Trigger terms (See listed terms above).This is not generally a problem, except that any reply email you may send is likely to be blocked by SEEMail as it will correctly identify the recipient as not being a SEEMail member.
SEEMail Warning #5A - UNVERIFIED INTERNAL SENDER
This message has our agency's email address but came from outside (the message could be SPOOFED). The confidentiality, integrity or authenticity of this message cannot be guaranteed.
Possible causes of this warning include:
- The mail may have been forwarded by a distribution (List serve) service like Mailchimp.
- The sender is working away from our agency and using an ISP mail account.
- Someone other than the sender may have sent the message and falsified the email address.
Recommended action: If you have doubts about the message authenticity, verify the message with the sender by some other means. Confirm with the recipient if they know the sender and if they are expecting an email?
Explanation
This error is where an email is received from an external source, but it appears to be from an internal sender. It commonly occurs when meeting invites that are originally sent from a HUD staff member are forwarded by an external person back to another HUD staff member.
SEEMail Warning #300 – UNABLE TO SIGN MESSAGE
This message occurs when the sent message cannot be digitally signed with the agencies digital certificate.
Possible causes of this warning include:
- The mail item may have a previous permission set that does not allow access to the email.
- The mail may contain a password protected file (Compressed ZIP).
- The mail contains a file that is encrypted.
- The mail may contain a digital certificate and SEEMail will view this file as an Encrypted file as the SEEMail gateway cannot interrogate it.
- This could be a technical fault if the Security certificate on the SEEMail gateway is no longer valid.
Recommended action: Confirm that there is no password protected attachments. Confirm that there are no security certificates on the emails (This occurs mostly when users forward an email that may have a certificate already). Contact the sender and ask them to resend the email unencrypted. Find another mechanism for the sender to share the information (External sharing). If all of these items have been confirmed, we need to check the SEEMail gateway status. If that returns errors raise a ticket with Liverton support to confirm the issue.
Explanation
Essentially SEEMail will view or read (Interrogate) every email that is sent or received at the SEEMail gateway. This is done to check for Malware and trigger words and to make sure no Data loss (DLP) is taking place. In the case where files are password protected or if encryption outside of those already present on the SEEMail gateway, this error will occur.
A list of SEEMail Agencies
| Agencies that can only receive IN-CONFIDENCE or UNCLASSIFIED email messages (i.e. SEEMail Standard agencies): |
| Accident Compensation Corporation |
| Aviation Security Service |
| Callaghan Innovation |
| Careers New Zealand |
| Education Review Office |
| Electricity Authority |
| Health Quality and Safety Commission |
| healthAlliance |
| HealthShare |
| Housing New Zealand |
| Independent Police Conduct Authority |
| Institute of Environmental Science and Research |
| Ministry for Pacific Peoples |
| New Zealand Blood Service |
| New Zealand Qualifications Authority |
| NIWA |
| NZ Post |
| NZ Transport Agency |
| Office of the Auditor General |
| Office of the Privacy Commissioner |
| Public Trust |
| Real Estate Agents Authority |
| Serious Fraud Office |
| Sport New Zealand |
| Statistics New Zealand |
| Tairawhiti DHB |
| Teachers Council |
| Tertiary Education Commission |
| Agencies that can receive IN-CONFIDENCE, UNCLASSIFIED, SENSITIVE or RESTRICTED email messages (i.e. SEEMail Restricted agencies): |
| Antarctica NZ |
| Central Agency Shared Services (DPMC, SSC & Treasury) |
| CERT |
| Civil Aviation Authority |
| Commerce Commission |
| Crown Law Office |
| Department of Conservation |
| Department of Corrections |
| Department of Internal Affairs |
| Drug Free Sport NZ |
| Education New Zealand |
| Environmental Protection Authority |
| Financial Markets Authority |
| Government Communications Security Bureau |
| Inland Revenue |
| Land Information New Zealand |
| Maritime New Zealand |
| Ministry for Culture and Heritage |
| Ministry for Primary Industries |
| Ministry for the Environment |
| Ministry of Business Innovation and Employment |
| Ministry of Education |
| Ministry of Foreign Affairs and Trade |
| Ministry of Health |
| Ministry of Justice |
| Ministry of Social Development |
| Ministry of Transport |
| Ministry for Women |
| New Zealand Customs Service |
| New Zealand Defence Force |
| New Zealand Fire Service |
| New Zealand Police |
| New Zealand Security Intelligence Service |
| New Zealand Trade and Enterprise |
| Office of the Ombudsman |
| Parliament |
| Parliamentary Counsel Office |
| Pharmac |
| Reserve Bank of New Zealand |
| Te Puni Kokiri |
More information please refer to SEEMail documentation.