Email Security Check for NSW Conveyancers: Verify Your SPF, DMARC and DKIM Records Against ARNECC Subscriber Obligations

You run a NSW conveyancing practice. You correspond with vendors, purchasers, banks, and other practitioners every day, and most of those emails carry payment instructions, identity documents, or settlement information. If your firm’s email domain doesn’t authenticate properly, a scammer can spoof your name to your own clients — and you won’t see it happen. The Email Security Check is a one-shot diagnostic that tells you, in plain English, whether your domain is currently configured to make that harder.

Hook (continued)

It’s the cheapest piece of due-diligence you can put on a Subscriber’s security file, and it’s the first thing a regulator or insurer will look at if something does go wrong.

Why it matters now

Under the Electronic Conveyancing National Law, NSW Subscribers must comply with the Participation Rules made by the NSW Registrar General, which are based on the ARNECC Model Participation Rules (Version 7, January 2024 is the current published version). Those rules require Subscribers to maintain security practices that protect against unauthorised access and to retain evidence of those practices. Separately, the Australian Cyber Security Centre identifies business email compromise as one of the highest-loss cybercrime categories affecting Australian businesses, and the Australian Competition and Consumer Commission’s Scamwatch service tracks payment-redirection scams targeting professional services. Email authentication (SPF, DKIM, DMARC) is the baseline technical control that makes domain spoofing — the mechanism behind most BEC against conveyancers — measurably harder.

The 5-minute view

• SPF (Sender Policy Framework) is a DNS record listing the servers authorised to send mail for your domain. Without it, any server on the internet can claim to be you.
• DKIM (DomainKeys Identified Mail) cryptographically signs outbound mail so recipients can verify it wasn’t altered or forged in transit.
• DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receiving mail servers what to do when SPF or DKIM fails — quarantine, reject, or allow — and can send you reports on spoofing attempts.
• The Australian Cyber Security Centre publishes guidance recommending DMARC with a p=reject policy for organisations sending email; general guidance is available at https://www.cyber.gov.au/.
• A DMARC record set to p=none (monitor-only) provides visibility but does not block spoofed mail.
• The ARNECC Model Participation Rules require Subscribers to implement and maintain security measures appropriate to the risks of electronic conveyancing.
• A domain with no SPF record, no DKIM signing, or DMARC at p=none is a measurably softer target for impersonation than one configured to ACSC guidance.

What DRMO does about it

The Email Security Check is a single-domain diagnostic. You submit your firm’s primary email domain. We query the public DNS records for SPF, DKIM (where selectors can be inferred from message headers you provide), and DMARC. We test each record against the Australian Cyber Security Centre’s published guidance on email authentication and against the structural risks specific to a conveyancing Subscriber: spoofed instruction emails to clients, lookalike domain registration patterns, and absent DMARC reporting. The output is a fixed-scope PDF report identifying what’s configured, what’s missing, what’s misconfigured, and what to ask your IT provider to change. This is the L1 productised version of the email-authentication review that runs as part of the DRMO Pre-Settlement Shield package; it is delivered without a discovery call.

The deliverable

• PDF report scoped to one email domain (typically 8–12 pages)
• Executive summary with Red / Amber / Green status per control (SPF, DKIM, DMARC)
• Per-record technical findings with the underlying DNS evidence cited
• Plain-English remediation list written for handover to your IT provider
• Mapping of findings to ARNECC Model Participation Rule security expectations, suitable for retention on your Subscriber compliance file
• Delivered via email within 1 business day of domain submission and payment

CTA

Run the Email Security Check — AUD $99

A single-domain productised offer. No discovery call required. Suitable for any NSW conveyancing or settlement firm that wants documented evidence of its email authentication posture on file.

For ongoing protection across all transactions and broader Subscriber security posture, see the DRMO Pre-Settlement Shield (consultative; book a discovery call).

Sources

1. Australian Registrars’ National Electronic Conveyancing Council — Model Participation Rules (Version 7, January 2024): https://www.arnecc.gov.au/publications/model-participation-rules/
2. Australian Cyber Security Centre — general guidance on email authentication and business email compromise: https://www.cyber.gov.au/
3. Australian Competition and Consumer Commission — Scamwatch (business email compromise scam category): https://www.scamwatch.gov.au/

DRMO capability references:

• Email Security Check (L1 service shape, productised)
• Pre-Settlement Shield (L3 consulting package — email authentication review is a component step)