Email Authentication Check for Perth Boutique Firms: Close the SPF/DMARC/DKIM Gap That Lets BEC Impersonate Your Domain

Your firm has under ten staff. You don’t have an in-house IT team, your mail runs on Microsoft 365 or Google Workspace, and your domain was set up years ago by whoever built the website. If an attacker can send email that looks like it came from a partner’s address — and your domain has no enforced SPF, DKIM, or DMARC — clients and counterparties have no technical way to tell the fake from the real. The Email Security Check is a one-shot diagnostic that tells you exactly what your domain currently publishes and where the gap sits.

Why it matters now

The Privacy Act 1988 (Cth) regulates how Australian organisations handle personal information, and the Office of the Australian Information Commissioner administers the Australian Privacy Principles and the Notifiable Data Breaches scheme that sit under it. Small advisory and professional services firms are increasingly inside the Act’s scope — either because they meet the $3 million turnover threshold, because they hold health or tax file number information, or because they handle personal information on behalf of a larger APP entity. The OAIC publishes guidance on reasonable steps to protect personal information under APP 11, and the Australian Cyber Security Centre lists email authentication (SPF, DKIM, DMARC) as a baseline control against email-based impersonation. When a Business Email Compromise lands a fraudulent invoice on a client because your domain is spoofable, the personal information disclosed in that exchange becomes a breach-reporting question, not just an IT question.

The 5-minute view

• The Privacy Act 1988 (Cth) and the Australian Privacy Principles apply to organisations with annual turnover over $3 million and to some smaller organisations including health service providers and contractors to APP entities (OAIC).
• Australian Privacy Principle 11 requires APP entities to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access or disclosure (OAIC).
• The Notifiable Data Breaches scheme under Part IIIC of the Privacy Act requires eligible data breaches involving likely serious harm to be notified to the OAIC and affected individuals.
• SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting and Conformance) are three DNS-published records that together let receiving mail servers verify that mail claiming to come from your domain actually did.
• Without an enforced DMARC policy (p=quarantine or p=reject), most receiving servers will still deliver spoofed mail bearing your firm’s domain.
• The Australian Cyber Security Centre publishes general guidance on email authentication and BEC at https://www.cyber.gov.au/.
• Boutique firms typically discover their SPF record is permissive (~all instead of -all), DKIM is unsigned, and DMARC is either absent or in monitoring mode (p=none) — a common combination that offers no enforcement.

What DRMO does about it

The Email Security Check is a fixed-scope diagnostic of your firm’s outbound mail domain. You submit your primary domain (and any aliases you send mail from). DRMO performs a passive DNS lookup of your published SPF, DKIM selector, and DMARC records, parses each against the relevant IETF specifications, and checks for the common boutique-firm failure patterns: missing DMARC, permissive SPF, unsigned DKIM, misaligned From headers, and orphaned subdomains. The check is read-only — no access to your mail tenant, no credentials shared, no changes made to your environment. The output is a PDF report you can hand to your IT provider or use as the input to an enforcement project. This is the entry-level L1 productised offer in the DRMO service catalogue, designed for firms that want a defensible starting point before commissioning remediation work.

The deliverable

• PDF report covering one primary domain and up to three subdomains or aliases
• Current SPF, DKIM, and DMARC record content with line-by-line interpretation
• Red / Amber / Green status per record with the specific configuration gap identified
• Plain-English remediation summary your IT provider can act on
• Reference to APP 11 “reasonable steps” framing so the report can be filed as evidence of the control review
• Delivered via email within 1 business day of payment and domain submission

CTA

Run the Email Security Check — AUD $99

A single-domain productised offer. No discovery call required, no access to your mail tenant required. Suitable for any Perth boutique firm that wants to know — before a counterparty asks — whether their domain can currently be impersonated.

Sources

1. Office of the Australian Information Commissioner — The Privacy Act: https://www.oaic.gov.au/privacy/the-privacy-act
2. Office of the Australian Information Commissioner (domain root, for APP 11 and Notifiable Data Breaches scheme guidance): https://www.oaic.gov.au/
3. Australian Cyber Security Centre (domain root, for email authentication and BEC guidance): https://www.cyber.gov.au/
4. Federal Register of Legislation (domain root, for the Privacy Act 1988 (Cth) consolidated text): https://www.legislation.gov.au/

DRMO capability references:

• Email Security Check (SPF/DMARC/DKIM) — L1 productised offer, DRMO service catalogue
• Entry-level diagnostic to the L3 Pre-Settlement Shield engagement