Email Security Check for Mandurah Conveyancers: SPF, DMARC and DKIM Configuration Against BEC

You run a small conveyancing practice in Mandurah. Most of your settlement correspondence — payment instructions, trust account changes, agent and lender confirmations — moves through email. If someone can spoof your domain, or send into your inbox while bypassing authentication, that is the channel that BEC actors will use. The Email Security Check is a one-shot diagnostic that tells you whether your domain is configured to make spoofing visibly harder.

Why it matters now

Under the Electronic Conveyancing National Law, Subscribers operating on Electronic Lodgment Network platforms must comply with the Participation Rules made by each State and Territory Registrar, based on the ARNECC Model Participation Rules (currently Version 7, published January 2024). The Model Participation Rules require Subscribers to maintain security measures appropriate to their role — including controls over the digital channels used to communicate with clients and other parties to a transaction. Email is one of those channels. The Australian Cyber Security Centre publishes guidance on business email compromise at https://www.cyber.gov.au/, and consistently identifies sender authentication (SPF, DKIM, DMARC) as a baseline control. A domain without these records published, or with them published but misconfigured, is structurally easier to impersonate.

The 5-minute view

• ARNECC publishes the Model Participation Rules (current Version 7, January 2024) under the Electronic Conveyancing National Law; each State Registrar determines them as binding Participation Rules in that jurisdiction.
• Subscribers are required to comply with the Participation Rules in their jurisdiction, including security obligations over the systems used to conduct conveyancing.
• BEC against conveyancing practices typically arrives by email impersonating a known party — a solicitor, an agent, a lender, or the firm itself — to redirect payment instructions.
• SPF (Sender Policy Framework) tells receiving mail servers which IP addresses are authorised to send mail for your domain.
• DKIM (DomainKeys Identified Mail) cryptographically signs outbound mail so receivers can verify it has not been tampered with.
• DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receivers what to do when SPF or DKIM fail, and reports who is sending mail claiming to be from your domain.
• The ACSC recommends a DMARC policy of p=reject for domains not actively required to allow third-party sending.
• A misconfigured or absent DMARC record means failed-authentication mail claiming to be from your firm may still land in client inboxes.

What DRMO does about it

The Email Security Check is a fixed-scope L1 diagnostic against one email domain. You provide the domain (for example, yourfirm.com.au). DRMO runs a published-records review covering: SPF record presence and syntax, including authorised-sender mechanisms and the all qualifier; DKIM selector discovery and key length where selectors are publicly resolvable; DMARC record presence, policy strength (none / quarantine / reject), alignment mode, and reporting addresses; and MX configuration sanity. This is the Email Security Check service package — a self-serve, productised L1 offer designed to give Mandurah conveyancers a defensible read on their domain posture without a discovery call. It is the same diagnostic that feeds Step 1 of the higher-tier Pre-Settlement Shield engagement.

The deliverable

• PDF report scoped to one email domain
• Executive summary with a Red / Amber / Green status per record (SPF, DKIM, DMARC, MX)
• Per-record findings with the raw DNS evidence cited
• Prioritised remediation checklist your IT provider can action directly
• Plain-English explanation of what each record does and why it matters for BEC resistance
• Delivered via email within 1 business day of payment

CTA

Run the Email Security Check — AUD $99

A single-domain productised offer. No discovery call required. Suitable for any Mandurah conveyancing or settlement practice that wants a defensible baseline on its email authentication posture before assessing further controls.

For ongoing monitoring or a transaction-specific BEC audit, contact DRMO about the Pre-Settlement Shield engagement.

Sources

1. Australian Registrars’ National Electronic Conveyancing Council — Model Participation Rules (Version 7, January 2024): https://www.arnecc.gov.au/publications/model-participation-rules/
2. Australian Cyber Security Centre — guidance on business email compromise and email authentication: https://www.cyber.gov.au/

DRMO capability references:

• Email Security Check (L1 service shape, productised)
• Pre-Settlement Shield (L3 Shield package — referenced as the upstream engagement)