Email Security Check for Sydney Conveyancers: Verify SPF, DMARC and DKIM Before a BEC Email Reaches Your Settlement Team

Most business email compromise emails targeting Sydney settlement files do not need to “break” anything — they only need your domain to be silent on whether the message is genuine. If your firm’s domain is not publishing SPF, DMARC, and DKIM records correctly, a spoofed “from” address purporting to be your conveyancer, your client’s solicitor, or the incoming mortgagee can land in your inbox without warning. This check tells you, in plain English, whether that gap exists on your domain today.

Why it matters now

Subscribers using an Electronic Lodgement Network in New South Wales operate under Participation Rules made by the Registrar under the Electronic Conveyancing National Law, modelled on ARNECC’s Model Participation Rules. The Model Participation Rules require Subscribers to maintain security measures over the digital systems and credentials used to transact on an ELN, and Subscribers self-certify compliance with these obligations annually. Separately, the Australian Cyber Security Centre identifies business email compromise as one of the most financially damaging cyber threats reported to it, and recommends SPF, DKIM and DMARC as foundational controls for any business that sends email — including law and conveyancing practices that issue trust-account instructions by email. Sydney conveyancers sitting between buyer, vendor, incoming mortgagee, and PEXA are a structurally attractive BEC target because of the one-shot, high-value funds movement at settlement.

The 5-minute view

• ARNECC’s Model Participation Rules Version 7 (January 2024) are the current model for Subscriber Participation Rules across Australian jurisdictions, including NSW.
• Under the Model Participation Rules, Subscribers are responsible for the security of their Digital Signing Certificate and the systems used to access the Electronic Lodgement Network — including the email channel used to coordinate settlement.
• SPF (Sender Policy Framework) tells receiving mail servers which servers are authorised to send mail for your domain.
• DKIM (DomainKeys Identified Mail) attaches a cryptographic signature so receivers can verify the message has not been altered in transit.
• DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receivers what to do when SPF or DKIM fails — and, critically, whether to reject spoofed mail or let it through.
• A DMARC policy of p=none provides reporting only and does not block spoofed mail; p=quarantine or p=reject is required to actively prevent spoofed mail from reaching recipients.
• The Australian Cyber Security Centre publishes general guidance on email authentication at https://www.cyber.gov.au/ and recommends progression toward a DMARC enforcement policy.
• An Email Security Check is the cheapest and fastest way to establish whether your domain’s email authentication posture is the one you assume it is.

What DRMO does about it

The Email Security Check is a fixed-scope L1 productised diagnostic on a single firm domain. You provide your primary firm domain (the one your conveyancers send and receive settlement instructions from). DRMO runs an external check of the publicly visible DNS records for that domain — SPF record presence and syntax, DKIM selector publication, DMARC record presence, the configured DMARC policy (none, quarantine, or reject), the rua reporting address, and alignment configuration. The output is a plain-English PDF report telling you what is published, what is missing, what is misconfigured, and the specific DNS changes recommended for your IT provider to implement. The check uses only externally observable DNS data; no access to your mail system or internal network is required.

This is the L1 entry point in the DRMO Email Security service line. If the check identifies a material gap, the Pre-Settlement BEC Audit (L2) and Pre-Settlement Shield (L3) packages provide deeper, transaction-scoped follow-on work.

The deliverable

• PDF report scoped to one firm domain
• Executive summary with a Red / Amber / Green rating against SPF, DKIM, and DMARC
• Per-record findings showing the exact DNS records observed and any syntax or policy issues
• Plain-English explanation suitable for forwarding to your IT provider or managed service provider
• Recommended DNS changes, listed in priority order
• Delivered by email within 1 business day of payment and domain submission

CTA

Run the Email Security Check — AUD $99

A single-domain productised offer. No discovery call required. Suitable for any Sydney conveyancing or settlement practice that issues or receives payment instructions by email and wants to confirm its email authentication posture before the next settlement file.

Sources

1. Australian Registrars’ National Electronic Conveyancing Council — Model Participation Rules (Version 7, January 2024): https://www.arnecc.gov.au/publications/model-participation-rules/
2. Australian Cyber Security Centre — general guidance on business email compromise and email authentication: https://www.cyber.gov.au/
3. Australian Competition and Consumer Commission — Scamwatch, payment redirection and BEC scam category: https://www.scamwatch.gov.au/

DRMO capability references:

• Email Security Check (L1 service shape) — DRMO surface area matrix
• Pre-Settlement BEC Audit (L2) and Pre-Settlement Shield (L3) — DRMO service packages