Email Security Check for Perth Conveyancers: Verify SPF, DMARC and DKIM Before Settlement Instructions Move

Your firm sends and receives trust-account instructions by email every day. If an attacker can spoof your domain — or if your inbound mail server cannot tell a forged sender from a real one — that one email is the gap between a clean settlement and a redirected payment. The Email Security Check is a one-shot diagnostic that tells you, in plain English, whether your domain’s email authentication actually does what you assume it does.

Why it matters now

ARNECC’s Model Participation Rules (Version 7, January 2024) require Subscribers to electronic conveyancing systems to maintain security practices around their digital certificates, user access, and the communications that surround a settlement. Email authentication sits underneath those obligations: if your domain is not protected by SPF, DKIM, and DMARC, an attacker can send mail that appears to come from your firm to a counterparty, a lender, or a client, and the receiving server will accept it. The Australian Cyber Security Centre publishes specific technical guidance on these three controls and treats them as a baseline for Australian organisations. Business email compromise targeting professional services is one of the highest-loss scam categories tracked by the ACCC’s Scamwatch service. For Perth conveyancers, the operational reality is that a single unauthenticated domain can be impersonated cheaply and at scale.

The 5-minute view

• ARNECC Model Participation Rules Version 7 (January 2024) is the current published version on the ARNECC site and governs Subscriber conduct in electronic conveyancing
• SPF (Sender Policy Framework) tells receiving servers which IP addresses are permitted to send mail on behalf of your domain
• DKIM (DomainKeys Identified Mail) cryptographically signs outbound mail so a receiver can verify the message was not altered in transit
• DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receivers what to do when SPF or DKIM fails, and reports spoofing attempts back to you
• A DMARC policy of p=none collects telemetry but does not block spoofed mail; only p=quarantine or p=reject instructs receivers to act
• The Australian Cyber Security Centre publishes guidance on all three controls at https://www.cyber.gov.au/
• The ACCC’s Scamwatch service classes payment-redirection scams targeting professional services as a high-loss category, with details at https://www.scamwatch.gov.au/
• A misconfigured or missing record on any one of the three controls is the most common precondition for a successful BEC against an Australian firm domain

What DRMO does about it

The Email Security Check is a fixed-scope L1 diagnostic against a single firm domain. You submit your primary email domain (and any aliases used for client correspondence). We query the public DNS records for SPF, DKIM selectors, and DMARC, parse them against the syntax each standard requires, and assess them against ACSC’s published guidance for Australian organisations. We then write up the findings as a plain-English report — what is configured, what is missing, what is misconfigured, and the specific DNS record changes recommended to close each gap. This is the entry-level diagnostic in the DRMO service catalogue and the natural starting point before a Pre-Settlement BEC Audit or a broader Pre-Settlement Shield engagement.

The deliverable

• PDF report scoped to one firm domain (and stated aliases)
• Per-control status: SPF, DKIM, DMARC — Pass / Partial / Fail with the underlying DNS record cited
• Specific recommended DNS record values for any gap found
• Plain-English explanation of what each control does and what an attacker can do without it
• Delivered via email within 1 business day of domain submission and payment
• Suitable as evidence for internal compliance records referencing ARNECC Model Participation Rule obligations on Subscriber security practices

CTA

Run the Email Security Check — AUD $99

A single-domain productised diagnostic. No discovery call required. Suitable for any Perth conveyancing or settlement firm that sends or receives payment instructions by email and has not had its SPF, DKIM, and DMARC records independently reviewed in the last 12 months.

Sources

1. Australian Registrars’ National Electronic Conveyancing Council — Model Participation Rules (Version 7, January 2024): https://www.arnecc.gov.au/publications/model-participation-rules/
2. Australian Cyber Security Centre — general guidance on email authentication for Australian organisations: https://www.cyber.gov.au/
3. Australian Competition and Consumer Commission — Scamwatch (payment-redirection and business email compromise scams): https://www.scamwatch.gov.au/

DRMO capability references:

• Email Security Check (L1 service shape, productised) — DRMO service catalogue
• Feeds into Pre-Settlement BEC Audit (L2) and Pre-Settlement Shield (L3) per DRMO service-package documentation