Email Security Check for Brisbane Conveyancers: SPF, DMARC and DKIM Evidence for ARNECC-Aligned Settlement Files

You are a Subscriber under the Queensland Participation Rules. Your firm sends and receives payment instructions, client authorisations and verification of identity correspondence by email every day. If a Brisbane buyer ever receives a spoofed email that looks like it came from your domain — and acts on it — the first question your insurer, the Registrar and your client’s lawyer will ask is whether your email domain was authenticated. The Email Security Check answers that question on paper, before it becomes a dispute.

Why it matters now

ARNECC’s Model Participation Rules (Version 7, January 2024) require Subscribers to maintain security controls over their digital conveyancing workflow, including controls over the communications channels used to send and receive Client Authorisations and related instructions. The Australian Cyber Security Centre treats Business Email Compromise as one of the highest-impact threat classes facing Australian small businesses, and recommends sender authentication (SPF, DKIM and DMARC) as a baseline control on any domain used for business correspondence. Settlement files in Queensland flow through the Electronic Conveyancing National Law framework administered by the Registrar of Titles under ARNECC’s Model Participation Rules — meaning a spoofing event on a conveyancer’s domain is not only a fraud risk, it is a regulator-visible event.

The 5-minute view

• ARNECC publishes the Model Participation Rules under the Electronic Conveyancing National Law; Queensland adopts them through Participation Rules determined by the Queensland Registrar of Titles.
• Subscribers (including conveyancers and lawyers) must comply with the Participation Rules in force in each jurisdiction in which they operate.
• The current model is Version 7, published January 2024.
• SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting and Conformance) are open standards that allow receiving mail servers to verify whether a message claiming to come from your domain actually originated from an authorised sender.
• The ACSC publishes general guidance on these standards at https://www.cyber.gov.au/ and treats them as a baseline control against domain spoofing in Business Email Compromise.
• A DMARC policy of p=none records spoofing attempts but does not block them; p=quarantine or p=reject is required to actively suppress unauthenticated mail.
• Without DMARC enforcement, a fraudster can send mail that displays your firm’s exact domain in the “from” header to a buyer, seller or lender on the file.
• An Email Security Check produces written evidence of your current authentication posture as at the date of the scan — useful for insurer renewals, Subscriber compliance reviews and internal risk registers.

What DRMO does about it

The Email Security Check is a productised L1 diagnostic run against your firm’s primary email domain (and up to two related domains, e.g. a marketing domain or a legacy domain still resolving). DRMO queries the public DNS records for SPF, DKIM selectors and DMARC, evaluates the policy strength of each record, identifies common misconfigurations (multiple SPF records, soft-fail ~all where -all is appropriate, missing DMARC rua reporting address, DKIM key length below 2048 bits, sub-domain policy gaps), and produces a written PDF report scoped to that domain set. The check is read-only against public DNS — it does not require access to your mail server, your tenant, or your settlement files. This is the same diagnostic that runs as the entry step into the DRMO Pre-Settlement Shield package, productised for single-domain use without a discovery call.

The deliverable

• PDF report, scoped to your firm’s primary email domain plus up to two related domains
• Per-record findings: SPF, DKIM (for selectors detected), DMARC, with policy strength rated against ACSC baseline guidance
• Plain-English remediation list, ordered by impact, that your IT provider can execute
• A one-page evidence summary suitable for attachment to an insurer renewal pack or internal risk register
• Delivered by email within 1 business day of payment

CTA

Run the Email Security Check — AUD $99

A single-domain productised offer. No discovery call required. Suitable for any Queensland conveyancing practice that operates as a Subscriber under the Participation Rules and uses email to issue or confirm any part of the settlement workflow.

Sources

1. Australian Registrars’ National Electronic Conveyancing Council — Model Participation Rules (Version 7, January 2024): https://www.arnecc.gov.au/publications/model-participation-rules/
2. Australian Cyber Security Centre — general guidance on Business Email Compromise and email authentication (SPF / DKIM / DMARC): https://www.cyber.gov.au/
3. Australian Competition and Consumer Commission — Scamwatch, general guidance on payment-redirection scams: https://www.scamwatch.gov.au/

DRMO capability references:

• Email Security Check (L1 service shape, productised)
• Pre-Settlement Shield (L3 Shield package, of which this diagnostic is the entry step)