On 12 December 2025 at 8:13 PM, I received an unsolicited commercial email from Robert Rolls, identifying himself as Founder and Chief Executive of Afirmo NZ Ltd. I had no prior relationship with him or the company, had not requested contact, and had not consented to receive marketing of any kind.

THE EMAIL ARRIVES

The message was promotional and lacked an unsubscribe mechanism. Under New Zealand law, a single unsolicited commercial email can be unlawful if it does not meet basic requirements around consent, sender identification, and opt-out. That omission mattered, and it prompted a closer look.

THE DOMAIN THAT DIDN’T MATCH

The email did not come from afirmo.com, the company’s established domain. It was sent from robertr@winafirmo.com, a domain registered just weeks earlier and not referenced anywhere on Afirmo’s official website. When accessed, that domain redirected to an unrelated third-party site with no visible connection to accounting or tax services. Domain provenance matters, especially in regulated environments.

TECHNICAL CHECKS

A WHOIS and DNS review showed the two domains were registered, hosted, and configured independently. The established domain dates back to 2017; the newer domain was registered in late September 2025. These differences don’t prove misconduct on their own, but they are relevant to questions of sender identification and traceability.

SEEKING CLARITY

Before publishing anything, I attempted to verify the situation and provide a right of reply. I phoned the publicly listed office number, called the mobile number associated with Mr Rolls, left voicemail messages, and sent written questions by email. One response arrived from the newer domain, asserting compliance and “deemed consent,” but it did not answer where my email address was sourced, why a separate domain was used, or why no unsubscribe was included.

INDUSTRY CONTEXT

In my reporting on electronic spam, I’ve repeatedly encountered a pattern where companies outsource cold outreach to third-party lead generators and use secondary domains to protect the reputation of their primary brand. When issues arise, responsibility still sits with the company whose services are being promoted.

THE LEGAL CONTEXT

Even where “deemed consent” is claimed, New Zealand law still requires a functional unsubscribe mechanism. The facts here are simple and observable: the message was unsolicited, the domain was not publicly associated with the company, and no opt-out was provided.

REFERRAL TO REGULATORS

Given the lack of resolution, I referred the matter to the Department of Internal Affairs, providing the original email, full headers, and a timeline of correspondence. The referral itself is now a matter of record.

ON THE RECORD

This investigation documents verifiable facts and unanswered questions. It does not allege fraud or criminality. If clarification is provided on the record—about the domain used, the source of my email address, or the absence of an unsubscribe—it will be published in full.

Buy Me a Coffee 
I’m on @buymeacoffee. If you like my work, you can buy me a coffee and share your thoughts.

Support the show