“Transparency is not demonstrated by reassurance. It is demonstrated by answering reasonable questions on the record.”

On 12 December 2025 at 8:13 PM, I received an unsolicited commercial email from Robert Rolls, who identifies himself as Founder & Chief Executive of Afirmo NZ Ltd.

I had no prior relationship with Mr Rolls, Afirmo NZ Ltd, or any associated entity. I had not requested information, signed up for a trial, subscribed to a mailing list, or otherwise consented to being contacted.

The email was promotional in nature. It therefore meets the definition of a commercial electronic message under the Unsolicited Electronic Messages Act 2007. Importantly, the email did not contain an unsubscribe mechanism.

That omission matters.

Under New Zealand law, a single unsolicited commercial email can be unlawful if it lacks consent, clear sender identification, and a functional unsubscribe facility. The law does not require bulk sending. One message is sufficient.

What followed was not a misunderstanding resolved through a simple clarification. It was a sequence of inconsistencies, partial explanations, and silence that raised legitimate public-interest questions.

This article documents those facts.

The Email and the Domain That Didn’t Match

The email identifying Robert Rolls as Founder & Chief Executive of Afirmo NZ Ltd was not sent from the company’s primary domain, afirmo.com.

Instead, it was sent from:

robertr@winafirmo.com

At the time the email was received, the domain winafirmo.com:

  • Was registered on 30 September 2025
  • Was 91 days old
  • Was not referenced anywhere on Afirmo’s official website
  • Did not host a corporate website

When accessed, winafirmo.com redirects to an unrelated third-party website with no visible connection to Afirmo NZ Ltd, accounting software, or tax services.

This is not a minor technical detail. Domain usage goes directly to sender identification, traceability, and compliance under New Zealand anti-spam law.

LinkedIn Profile and Conflicting Email Addresses

Robert Rolls’ LinkedIn Profile, which identifies him as Founder & Chief Executive of Afirmo, lists a different contact address:

robert.rolls@afirmo.com

Two domains were therefore in use:

  • An established corporate domain (afirmo.com)
  • A newly registered domain (winafirmo.com)

Only one of those domains is publicly associated with the company.

That discrepancy required clarification.

Technical Comparison of the Domains Used

A WHOIS and DNS review shows that the domains afirmo.com and winafirmo.com are registered, hosted, and configured independently of one another. Afirmo.com was registered in 2017 and is associated with the company’s long-established public website. By contrast, winafirmo.com was registered on 30 September 2025 and resolves to a different IP address using a separate hosting and DNS configuration.

When accessed, winafirmo.com redirects to an unrelated third-party website with no visible connection to Afirmo NZ Ltd, accounting services, or tax software. These technical differences do not, on their own, establish misconduct. However, where an unsolicited commercial email is sent from a newly registered domain that is not referenced on the company’s official website, those differences are relevant to questions of sender identification, traceability, and accountability.

Attempts to Verify Identity and Seek Right of Reply

Before publishing anything, I took reasonable steps to verify the situation directly and to provide Mr Rolls with a right of reply.

Over a period of days:

  • I phoned the company using the publicly listed office number
  • I phoned the mobile number associated with Mr Rolls
  • I left voicemail messages
  • I sent written questions by email

I received one written response, sent from the winafirmo.com email address. That response stated that:

  • Afirmo takes compliance seriously
  • My details had been removed from their systems
  • The email was sent under “deemed consent” provisions

However, several material questions were not answered, including:

  • Where my email address was sourced from
  • Whether a third-party lead-generation or marketing company was used
  • Why a separate domain was used for outreach
  • Why the original email did not include an unsubscribe mechanism

After that response, communication ceased.

There was no follow-up, no clarification, and no response to subsequent verification requests.

Silence is not evidence of wrongdoing. However, it is a documentable fact when assessing transparency and reasonableness.

Industry Context: Lead Generation and Secondary Domains

In the course of reporting on electronic spam and unlawful marketing practices, I have repeatedly encountered a common industry pattern that is relevant to this situation.

Some companies outsource outbound email campaigns to third-party lead-generation firms and deliberately operate those campaigns through newly registered or secondary domains rather than their primary corporate domain. The stated rationale is often to protect the reputation, deliverability, and search-engine health score of the main domain, particularly where cold outreach may generate complaints or regulatory scrutiny.

When problems arise, the technical and reputational consequences attach to the secondary domain rather than the main brand.

This practice has been examined in enforcement actions in New Zealand and overseas. In those cases, businesses have been held responsible for unsolicited messages sent on their behalf, regardless of whether a contractor or intermediary was involved.

The existence of a secondary domain does not, by itself, establish wrongdoing. It does, however, represent a recognised risk indicator in spam investigations and is something that reasonably warrants clear explanation when questions are raised.

The Legal Context: Why This Matters

Under the Unsolicited Electronic Messages Act 2007, businesses may only send commercial emails if all of the following requirements are met:

  • Consent exists (express, inferred, or deemed)
  • The sender is clearly and accurately identified
  • A functional unsubscribe facility is included

Even where deemed consent is claimed, the unsubscribe requirement still applies.

In this case:

  • I dispute that my email address was published for unsolicited marketing
  • The message lacked an unsubscribe mechanism
  • The sender used a domain not publicly linked to the company

These are not allegations. They are observable facts.

Referral to the Department of Internal Affairs

Given the lack of resolution, I submitted a complaint to the Department of Internal Affairs, the agency responsible for enforcing New Zealand’s anti-spam laws.

The referral included:

  • The original email
  • Full delivery headers and the EML file
  • A timeline of correspondence

As of publication, I have not received confirmation that enforcement action is underway. That is not unusual. The Department does not comment publicly on active assessments.

The referral itself is a matter of record.

Public Reviews and Prior Concerns

While verifying basic facts, I reviewed publicly available Google Reviews relating to Afirmo NZ Ltd.

It is important to be clear about the limits of this material:

  • Customer reviews are testimony, not evidence of illegality
  • They do not establish facts about my case
  • They are included only as context, not proof

The reviews raise recurring themes, including billing disputes, communication breakdowns, software limitations, and concerns around third-party integrations. Some of these claims are disputed by the company in its responses.

I make no determination about their accuracy. They are mentioned solely because they form part of the public record a reasonable reader may encounter.

What This Is — and What It Is Not

This article does not claim that:

  • Afirmo NZ Ltd is a scam
  • Robert Rolls committed fraud
  • A criminal offence has been proven

It does document that:

  • An unsolicited commercial email was sent to me
  • The email lacked an unsubscribe mechanism
  • The email was sent from a newly registered domain not publicly associated with the company
  • Clarification was sought
  • Key questions remain unanswered

That is the full scope.

Why the Domain Issue Cannot Be Ignored

Using alternate domains for outbound marketing is sometimes described as a technical or operational decision.

However, in regulated environments such as finance, tax, accounting, and KYC-adjacent services, domain provenance matters. It directly affects consumer trust, data-protection expectations, accountability, and compliance with electronic-messaging law.

If a third party was involved, the company remains responsible for messages sent on its behalf. If impersonation is occurring, it is incumbent on the company to state that clearly and publicly.

To date, neither explanation has been provided.

Position on the Record

I have acted in good faith throughout this process. I sought verification directly, provided a clear right of reply, avoided speculation, and referred the matter to the appropriate regulator.

This article records verifiable facts and unanswered questions. Nothing more.

If Afirmo NZ Ltd or Robert Rolls wish to clarify the record — specifically:

  • the use of the winafirmo.com domain
  • the source of my email address
  • the absence of an unsubscribe mechanism

I will publish that response in full and without editorial alteration.

What Readers Should Do

If you are a business owner or professional:

  • Treat unsolicited emails — particularly those involving finance or tax — with caution
  • Verify sender domains, not just names or signatures
  • Expect a functional unsubscribe mechanism as a minimum legal standard
  • Understand that New Zealand law applies even to a single message

If you believe you have received spam:

  • Preserve the original email, including full headers
  • Report it to the Department of Internal Affairs

Transparency is not achieved through silence.
It is achieved through answers.

Evidence Archive

PDFExhibit A – Unsolicited Commercial Email (PDF)
A full copy of the unsolicited email received on 12 December 2025, including complete delivery headers and message content, has been preserved exactly as received.

Download: Exhibit-A-Robert-Rolls-Unsolicited-Email.pdf

This article will be updated only if verifiable new information emerges.

Disclaimer: How This Investigation Was Conducted

This investigation relies entirely on OSINT — Open Source Intelligence — meaning every claim made here is based on publicly available records, archived web pages, corporate filings, domain data, social media activity, and open blockchain transactions. No private data, hacking, or unlawful access methods were used. OSINT is a powerful and ethical tool for exposing scams without violating privacy laws or overstepping legal boundaries.

About the Author

I’m DANNY DE HEK, a New Zealand–based YouTuber, investigative journalist, and OSINT researcher. I name and shame individuals promoting or marketing fraudulent schemes through my YOUTUBE CHANNEL. Every video I produce exposes the people behind scams, Ponzi schemes, and MLM frauds — holding them accountable in public.

My PODCAST is an extension of that work. It’s distributed across 18 major platforms — including Apple Podcasts, Spotify, Amazon Music, YouTube, and iHeartRadio — so when scammers try to hide, my content follows them everywhere. If you prefer listening to my investigations instead of watching, you’ll find them on every major podcast service.

You can BOOK ME for private consultations or SPEAKING ENGAGEMENTS, where I share first-hand experience from years of exposing large-scale fraud and helping victims recover.

“Stop losing your future to financial parasites. Subscribe. Expose. Protect.”

My work exposing crypto fraud has been featured in: