Email Security Check for Queensland Conveyancers: SPF, DMARC and DKIM Audit Aligned to ARNECC Participation Rules

You handle settlement instructions by email every day. A spoofed message carrying revised trust account details only needs to land in one inbox once. If your firm’s domain has weak SPF, DMARC or DKIM records, attackers can impersonate your conveyancers to clients — or impersonate counterparties to your team — without ever breaking into a mailbox. This $99 Email Security Check tells you exactly where your domain stands.

Why it matters now

Queensland conveyancers operating as Subscribers in PEXA are bound by Participation Rules made by the Queensland Registrar under the Electronic Conveyancing National Law, which the Australian Registrars’ National Electronic Conveyancing Council (ARNECC) develops as the Model Participation Rules (currently Version 7, published January 2024). The Model Participation Rules require Subscribers to maintain security controls covering their digital signing credentials, client authorisation processes, and the systems used to communicate with clients and other Subscribers — and to certify ongoing compliance. Email is the primary channel for both client authorisation forms and counterparty payment instructions in the lead-up to settlement, which makes it directly in scope for those security obligations. The Australian Cyber Security Centre also publishes specific guidance recommending SPF, DKIM and DMARC for any Australian business sending email at https://www.cyber.gov.au/.

The 5-minute view

• SPF (Sender Policy Framework) tells receiving mail servers which IP addresses are authorised to send mail for your domain. A missing or overly permissive SPF record lets attackers send mail that passes basic authentication checks.
• DKIM (DomainKeys Identified Mail) cryptographically signs outbound mail so recipients can verify it was not altered in transit and originated from a server holding your private key.
• DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receivers what to do when SPF or DKIM fails — quarantine, reject, or take no action — and lets you collect reports on who is sending mail in your name.
• A DMARC policy of p=none provides visibility but no protection. p=quarantine or p=reject is required to actually block spoofed mail.
• ARNECC Model Participation Rules Version 7 (January 2024) is the current baseline that each state Registrar’s Participation Rules — including in Queensland — are derived from.
• Business email compromise targeting Australian property settlements is a recognised threat class tracked by Scamwatch (https://www.scamwatch.gov.au/) and the Australian Cyber Security Centre.
• Email authentication is a control your firm sets at the DNS level — it is invisible to staff and clients, which is precisely why it is a common gap.

What DRMO does about it

The Email Security Check is a fixed-scope, single-domain diagnostic. You provide your firm’s primary email domain (the one on your conveyancers’ business cards and signature blocks). DRMO queries the public DNS records for that domain and reviews: the SPF record (presence, syntax, include chain length, and the closing mechanism), the DKIM selectors discoverable for that domain, and the DMARC record (presence, policy strength, alignment mode, reporting addresses). The review compares findings to the Australian Cyber Security Centre’s published guidance on email authentication and identifies gaps that would allow a third party to spoof mail purporting to come from your firm. This is the same DNS-layer check that runs as a precondition to the L2 Pre-Settlement BEC Audit, productised for self-serve use without a discovery call.

The deliverable

• 6-8 page PDF report scoped to one email domain
• Per-record review: SPF, DKIM, DMARC — with the raw record extracted and assessed
• Red / Amber / Green status for each of the three controls
• Specific DNS changes recommended, written so your IT provider or managed service partner can implement them directly
• Mapping of findings to the ACSC’s published email authentication guidance
• Delivered via email within 2 business days of payment

CTA

Run the Email Security Check — AUD $99

A single-domain productised offer. No discovery call required. Suitable for any Queensland conveyancing or settlement practice that wants a defensible baseline on email authentication before reviewing its broader ARNECC compliance posture.

For a transaction-specific review of payment-instruction emails on a live settlement file, see the Pre-Settlement BEC Audit. For ongoing protection across all transactions, the DRMO Retainer is available on a consultative basis.

Sources

1. Australian Registrars’ National Electronic Conveyancing Council — Model Participation Rules (Version 7, January 2024): https://www.arnecc.gov.au/publications/model-participation-rules/
2. Australian Cyber Security Centre — email security and business email compromise guidance: https://www.cyber.gov.au/
3. Australian Competition and Consumer Commission — Scamwatch (business email compromise scam reporting): https://www.scamwatch.gov.au/
4. PEXA Group Limited — Subscriber documentation: https://www.pexa.com.au/

DRMO capability references:

• Email Security Check (L1 service shape, productised, self-serve)
• Pre-Settlement Shield (L3 Shield package) — precondition step uses the same DNS-layer authentication review