Email Authentication Check for Geraldton Conveyancers: Verify SPF, DMARC and DKIM Against ARNECC Subscriber Obligations

You run a settlement practice in Geraldton. Your inbox is the front door to every transaction — buyer ID documents, trust account instructions, mortgage discharge confirmations. If your domain’s email authentication is weak, attackers can spoof your firm’s address to a client, a bank, or another Subscriber, and you may not see it happen until funds have moved. The Email Security Check is a fixed-price, one-off diagnostic that tells you exactly where your firm’s email authentication stands today.

Why it matters now

Under the Electronic Conveyancing National Law, Subscribers are required to comply with the Participation Rules made by the Registrar in each State and Territory, which are developed nationally by the Australian Registrars’ National Electronic Conveyancing Council (ARNECC) as the Model Participation Rules. The current Version 7 of the Model Participation Rules (January 2024) sets Subscriber security obligations covering the protection of the Subscriber’s digital signing credentials, the security of the systems used to access the ELN, and the verification of communications. Business email compromise is the threat class most likely to defeat those obligations at a regional practice, because spoofed mail from a weakly-authenticated domain is indistinguishable from genuine mail to a non-technical recipient. The Australian Cyber Security Centre publishes general guidance on email authentication (SPF, DKIM, DMARC) at https://www.cyber.gov.au/, and the ACCC’s Scamwatch service at https://www.scamwatch.gov.au/ tracks payment-redirection scams targeting professional services as a recognised high-loss category.

The 5-minute view

• ARNECC’s Model Participation Rules Version 7 (January 2024) is the current national template that each State and Territory Registrar adopts as the binding Participation Rules for Subscribers
• Subscriber security obligations under the Participation Rules cover the security of credentials and the systems used to send and receive communications about a Conveyancing Transaction
• SPF (Sender Policy Framework) tells receiving mail servers which IP addresses are authorised to send mail for your domain
• DKIM (DomainKeys Identified Mail) cryptographically signs outbound mail so receivers can verify it was not tampered with in transit
• DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receivers what to do when SPF or DKIM fails, and is the control that actually blocks spoofed mail rather than just flagging it
• A DMARC policy of p=none reports on failures but does not block them; p=quarantine and p=reject enforce
• Regional and small-firm domains are statistically more likely to have weak or absent DMARC enforcement, which is why they are attractive for spoofing
• An external check of your domain takes minutes and requires no access to your mail server

What DRMO does about it

The Email Security Check is the DRMO L1 productised diagnostic for a single firm domain. You submit your firm’s email domain (for example yourfirm.com.au) at checkout. DRMO runs an external review of the published DNS records for that domain: SPF record presence, syntax, and authorised sender scope; DKIM selector discovery and key validity; and DMARC policy, alignment mode, and reporting addresses. The check is read-only and uses only publicly resolvable DNS — no access to your mail server, mailbox, or PEXA Subscriber account is required or requested. The output is a PDF report that names each control, its current state, the gap (if any) against the ACSC’s published email authentication guidance, and the specific DNS record change required to close it. This is the same email-authentication step that forms the inbound-channel review inside the Pre-Settlement Shield engagement, productised here for one-off use by smaller practices that do not need a full retainer.

The deliverable

• PDF report scoped to one firm email domain
• Section 1: SPF record findings — record present/absent, syntax issues, authorised sender summary
• Section 2: DKIM findings — selectors discovered, key length, validity
• Section 3: DMARC findings — policy (none / quarantine / reject), alignment, reporting destinations
• Section 4: Red / Amber / Green summary against ACSC email authentication guidance
• Section 5: Recommended DNS changes, written so your IT provider can implement them directly
• Delivered via email within 1 business day of payment and domain submission

CTA

Run the Email Security Check — AUD $99

A one-off, self-serve productised diagnostic. No discovery call required. Suitable for any Geraldton conveyancing or settlement practice that wants a written record of its email authentication posture as evidence of due diligence around its Subscriber communications.

This door provides operational support for Subscriber security obligations under the Model Participation Rules. It does not constitute legal advice on those Rules.

Sources

1. Australian Registrars’ National Electronic Conveyancing Council — Model Participation Rules (Version 7, January 2024): https://www.arnecc.gov.au/publications/model-participation-rules/
2. Australian Cyber Security Centre — general guidance on email authentication and business email compromise: https://www.cyber.gov.au/
3. Australian Competition and Consumer Commission — Scamwatch (payment-redirection scams targeting professional services): https://www.scamwatch.gov.au/

DRMO capability references:

• Email Security Check (L1 productised service shape)
• Pre-Settlement Shield (L3 Shield package — inbound-channel review step)