Email Security Check for Melbourne Conveyancers: SPF/DMARC/DKIM Readiness Against BEC Under ARNECC Participation Rules

Your firm sends payment instructions, settlement notifications, and client authority requests by email every working day. If your domain has no SPF record, a permissive DMARC policy, or unsigned DKIM, an attacker can spoof your firm address and walk a payment redirect straight into a client’s inbox the week of settlement. The Email Security Check tells you exactly where your domain sits today and what a Subscriber operating under ARNECC’s Model Participation Rules should fix first.

Why it matters now

ARNECC’s Model Participation Rules (Version 7, January 2024) require Subscribers in each jurisdiction — including Victoria — to maintain security practices around digital signing, system access, and communications integrity as a condition of operating on an Electronic Lodgment Network. The Australian Cyber Security Centre publishes specific technical guidance on email authentication (SPF, DKIM, and DMARC) as the recognised baseline for preventing domain spoofing, and ACCC ScamWatch tracks payment-redirection scams against professional services as a high-loss category. Melbourne conveyancers sit between vendor, purchaser, lender, and PEXA — a structurally attractive target for business email compromise, where one spoofed email impersonating your firm can divert trust funds with little chance of recovery.

The 5-minute view

• ARNECC Model Participation Rules Version 7 has been in force since January 2024 and applies to all Subscribers operating on an Electronic Lodgment Network in Victoria
• SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance) are the three email authentication standards published by the IETF and recommended by the ACSC
• A domain with no DMARC policy, or DMARC set to p=none, allows spoofed mail purporting to come from your firm to reach client inboxes without rejection
• BEC attacks targeting property settlements typically peak in the final 7–14 days before settlement, when payment instructions are being exchanged
• Out-of-band verification (a phone call to a known number) is the recommended control when payment instructions arrive or change by email
• An Email Security Check is a point-in-time diagnostic of your firm’s outbound email authentication posture — not a guarantee against compromise, but a documented baseline you can act on and show to your insurer

What DRMO does about it

The Email Security Check is a productised L1 diagnostic delivered against your firm’s primary email domain. You submit your domain (the part after the @ in your firm address). DRMO queries the public DNS records for SPF, DKIM selectors, and DMARC; tests the policy strength and alignment settings; and identifies whether the configuration would reject, quarantine, or pass spoofed mail purporting to come from your firm. The diagnostic is scoped to the public-facing authentication posture — what an attacker sees when probing your domain — and is mapped to ACSC guidance and to the security-practice expectations Subscribers face under the ARNECC Model Participation Rules. No access to your mail system or internal records is required.

This is the same domain check that runs as Step 1 of larger DRMO pre-settlement engagements, productised here for single-firm self-serve use.

The deliverable

• PDF report scoped to one firm domain
• Per-record findings for SPF, DKIM (common selectors tested), and DMARC, with the underlying DNS evidence cited
• Red / Amber / Green status against ACSC-aligned baseline configuration
• Plain-English explanation of what each gap means in a BEC scenario targeting a settlement file
• Recommended remediation steps your IT provider can action, with the specific DNS record changes
• Delivered via email within 1 business day of payment

CTA

Run the Email Security Check — AUD $99

A single-domain productised diagnostic. No discovery call required. Suitable for any Victorian conveyancing or settlement firm wanting a documented baseline of its email authentication posture before the next settlement cycle.

Sources

1. Australian Registrars’ National Electronic Conveyancing Council — Model Participation Rules (Version 7, January 2024): https://www.arnecc.gov.au/publications/model-participation-rules/
2. Australian Cyber Security Centre — general guidance on email authentication and business email compromise: https://www.cyber.gov.au/
3. Australian Competition and Consumer Commission — ScamWatch payment-redirection scam category: https://www.scamwatch.gov.au/

DRMO capability references:

• Email Security Check (L1 service shape)
• Pre-Settlement Shield (L3 Shield package — embeds the same diagnostic at Step 1)