Email Security Check for Victorian Conveyancers: Verify SPF, DMARC and DKIM Before Your Next Settlement

Most business email compromise attacks against conveyancers begin with a spoofed or look-alike domain — and most Australian SME mail domains are still configured in a way that lets those spoofs land in a client’s inbox. If you don’t know whether your firm’s domain enforces SPF, DMARC and DKIM today, an attacker probably already does. The Email Security Check is a one-shot diagnostic that tells you exactly where your mail authentication stands and what to fix.

Why it matters now

Victorian Subscribers in the Electronic Lodgment Network (ELN) operate under Participation Rules made by the Registrar under Section 23 of the Electronic Conveyancing National Law, drawing on the Model Participation Rules published by the Australian Registrars’ National Electronic Conveyancing Council (ARNECC). Those rules impose duties on Subscribers around verification of identity, client authorisation, and the integrity of communications associated with electronic conveyancing transactions. Email is the channel through which trust account details, client authorisations and settlement instructions move — and the Australian Cyber Security Centre identifies business email compromise as a sustained, high-impact threat to Australian businesses. A domain that does not publish enforced SPF, DMARC and DKIM records is a domain that third parties can be impersonated from with comparative ease.

The 5-minute view

• ARNECC’s Model Participation Rules (Version 7, January 2024) are the basis for the Participation Rules determined by the Registrar of Titles in each jurisdiction, including Victoria.
• Subscribers under the Electronic Conveyancing National Law must comply with the Participation Rules in force in their jurisdiction.
• SPF (Sender Policy Framework) tells receiving mail servers which IP addresses are authorised to send mail for your domain.
• DKIM (DomainKeys Identified Mail) cryptographically signs outbound mail so recipients can verify it has not been altered in transit.
• DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receiving servers what to do with mail that fails SPF or DKIM — and is the control that actually blocks spoofing when set to p=reject.
• The Australian Cyber Security Centre publishes specific guidance on email hardening and on business email compromise at https://www.cyber.gov.au/.
• A misconfigured DMARC record (p=none, no reporting address, or no record at all) means spoofed mail purporting to come from your firm can land in a buyer’s, seller’s, or counter-party’s inbox without rejection.

What DRMO does about it

The Email Security Check is a fixed-scope L1 productised diagnostic run against your firm’s primary mail domain (and up to two related domains used for client correspondence). DRMO performs an external check of the published DNS records: SPF record presence, syntax, lookup count and policy strictness; DKIM selector discovery and key length; DMARC record presence, policy (p=none/quarantine/reject), alignment mode, and reporting endpoints. The check also flags adjacent indicators — MTA-STS, TLS-RPT, and obvious look-alike domain registrations on the most common typosquat patterns of your primary domain. This is an external diagnostic only; no access to your mail server, mailbox, or internal systems is required. The service is the productised L1 version of the email-authentication review that runs inside DRMO’s larger Pre-Settlement Shield engagement.

The deliverable

• PDF report scoped to one primary domain plus up to two related domains.
• Red / Amber / Green status per domain, per control (SPF, DKIM, DMARC, MTA-STS).
• The raw DNS records observed, with the specific syntax or policy issue identified for each finding.
• A prioritised remediation list your IT provider can action directly, written in plain English with the exact record syntax to publish.
• Flagged look-alike domains observed on common typosquat patterns of your primary domain.
• Delivered via email within 1 business day of payment.

CTA

Run the Email Security Check — AUD $99

A single-shot productised diagnostic. No discovery call required, no access to your systems required — DRMO only needs the domain name. Suitable for any Victorian conveyancing firm that handles client funds, trust account instructions, or PEXA-related correspondence by email.

For firms wanting an end-to-end review across mail authentication, BEC indicators on a live file, and Subscriber-side controls, the Pre-Settlement Shield engagement is available as a separate consultative offer.

Sources

1. Australian Registrars’ National Electronic Conveyancing Council — Model Participation Rules (Version 7, January 2024): https://www.arnecc.gov.au/publications/model-participation-rules/
2. Australian Cyber Security Centre — guidance on business email compromise and email hardening: https://www.cyber.gov.au/
3. Australian Competition and Consumer Commission — Scamwatch (payment-redirection and BEC scam reporting): https://www.scamwatch.gov.au/

DRMO capability references:

• Email Security Check (L1 productised service shape) — DRMO service catalogue
• Pre-Settlement Shield (L3 consulting engagement) — DRMO service catalogue