Email Security Check for Fremantle Conveyancers: SPF/DMARC/DKIM Diagnostic Aligned to ARNECC Participation Rules

Your firm sends and receives payment instructions, client authorisation forms, and verification of identity confirmations by email every day. If your sending domain isn’t properly authenticated, a spoofed email impersonating your firm can land in a buyer’s, seller’s, or lender’s inbox and look indistinguishable from the real thing. This one-off check tells you whether the three email authentication records that block most impersonation attempts — SPF, DKIM, and DMARC — are actually configured on your firm’s domain.

Why it matters now

Conveyancers and settlement agents operating on PEXA are Subscribers under the Electronic Conveyancing National Law and are bound by Participation Rules that each State Registrar determines from the ARNECC Model Participation Rules. Those rules impose Subscriber obligations covering verification of identity, client authorisation, certifications, and the security of the systems used to transact — and a Subscriber’s email channel is the practical seam through which most of that information moves. The Australian Cyber Security Centre lists business email compromise as a high-impact threat to Australian businesses and publishes guidance recommending SPF, DKIM, and DMARC as foundational controls against domain spoofing. For a Fremantle settlement agency, an unauthenticated sending domain is the easiest path for an attacker to impersonate your firm to a counterparty in the days before settlement.

The 5-minute view

• ARNECC publishes the Model Participation Rules (Version 7, January 2024) which each State Registrar determines as the Participation Rules under the Electronic Conveyancing National Law.
• Subscribers — including licensed conveyancers and settlement agents in Western Australia — must comply with the Participation Rules as a condition of using an Electronic Lodgment Network.
• The Participation Rules impose obligations around verification of identity, client authorisation, and the integrity of records that Subscribers retain and exchange — much of which moves over email.
• SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance) are the three DNS-based standards that allow receiving mail servers to verify that an email claiming to come from your domain actually did.
• The Australian Cyber Security Centre recommends all three as baseline controls against email spoofing and business email compromise.
• A domain with no DMARC record, or a DMARC record in p=none mode, provides no enforcement against spoofed mail being delivered to recipients.
• The Email Security Check is a one-shot external diagnostic: it reads only public DNS records and requires no access to your mail server or mailboxes.

What DRMO does about it

The Email Security Check is a productised L1 diagnostic. You provide your firm’s sending domain (e.g. yourfirm.com.au); DRMO performs an external review of the public DNS records that govern email authentication for that domain. The check covers: the presence and syntax of the SPF record, whether DKIM selectors are published and resolve correctly, the DMARC policy in force (none, quarantine, or reject), the alignment mode configured, and whether DMARC aggregate reporting is being collected. Findings are graded against ACSC published guidance and mapped to the operational seam most relevant to Subscribers under the ARNECC framework — protecting the email channel through which client authorisation, VOI confirmations, and payment instructions move. This is the productised, self-serve version of the diagnostic that runs as the first step of the Pre-Settlement Shield engagement.

The deliverable

• PDF report scoped to one sending domain
• Executive summary with a Red / Amber / Green status for SPF, DKIM, and DMARC
• The exact DNS records observed at the time of the check, with the timestamp recorded
• Specific remediation steps for each finding, written in plain English for your IT provider to action
• A one-page summary suitable for retention in your firm’s operational records
• Delivered by email within 1 business day of payment and domain submission

CTA

Run the Email Security Check — AUD $99

A single, self-serve productised offer. No discovery call required. Suitable for any Western Australian conveyancing or settlement firm that wants a defensible record of its current email authentication posture.

For ongoing protection across all settlement files, see the DRMO Pre-Settlement Shield (consultative; book a discovery call).

Sources

1. Australian Registrars’ National Electronic Conveyancing Council — Model Participation Rules: https://www.arnecc.gov.au/publications/model-participation-rules/
2. Australian Cyber Security Centre — general guidance on business email compromise and email authentication: https://www.cyber.gov.au/
3. PEXA Group Limited — Subscriber and settlement workflow information: https://www.pexa.com.au/

DRMO capability references:

• Email Security Check (L1 productised service shape)
• Pre-Settlement Shield (L3 consultative package; Email Security Check is Step 1)