Email Security Check for WA Conveyancers: SPF, DMARC and DKIM Evidence for ARNECC Participation Rule Compliance

You handle the buyer’s funds, the seller’s instructions, and the lender’s payout figures — and most of it moves through email. If your domain is not authenticated, a fraudster can send a message that looks like it came from your firm, and your settlement team has no technical way to tell the difference. The Email Security Check is a one-shot diagnostic on your firm’s email domain that produces a written record of where you stand on the three controls that actually matter: SPF, DMARC and DKIM.

Why it matters now

Under the Electronic Conveyancing National Law, Subscribers must comply with the Participation Rules made by the Registrar in each jurisdiction; the Australian Registrars’ National Electronic Conveyancing Council (ARNECC) publishes the Model Participation Rules that those jurisdiction-specific rules are based on, with Version 7 (January 2024) being the current edition. The Model Participation Rules require Subscribers to maintain security measures over their digital signing certificate, client authorisation and verification of identity processes — all of which depend on email as the primary channel for instructions. The Australian Cyber Security Centre publishes general guidance on business email compromise at https://www.cyber.gov.au/, and the ACCC’s Scamwatch service at https://www.scamwatch.gov.au/ tracks payment-redirection scams targeting professional services as a high-loss scam category. An unauthenticated firm domain is the structural precondition that makes a convincing payment-redirection email possible.

The 5-minute view

• ARNECC publishes the Model Participation Rules; the current edition is Version 7, dated January 2024, available at arnecc.gov.au
• In Western Australia, the Registrar of Titles determines the WA Participation Rules based on the ARNECC model, and WA Subscribers must comply with them
• The Model Participation Rules require Subscribers to maintain security measures over digital signing certificates, client authorisation and verification of identity — processes that almost always touch email
• SPF (Sender Policy Framework) tells receiving mail servers which servers are permitted to send mail for your domain
• DKIM (DomainKeys Identified Mail) cryptographically signs outbound mail so recipients can verify it was not altered in transit
• DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receiving servers what to do when SPF and DKIM checks fail — and produces reports showing who is impersonating your domain
• A domain with no DMARC policy, or a DMARC policy set to p=none, provides no enforcement against impersonation — the receiving server is told to do nothing
• The Email Security Check produces a written record of your domain’s current configuration that can be filed against your firm’s compliance documentation

What DRMO does about it

The Email Security Check is a single-domain diagnostic productised for self-serve purchase. You submit your firm’s email domain (for example, yourfirm.com.au) and we run a fixed-scope review of its public DNS records covering: SPF record presence, syntax and ~all/-all enforcement mode; DKIM selector discovery and key configuration; DMARC record presence, policy strength (none / quarantine / reject), percentage tag, and reporting addresses; and a check for common misconfigurations such as multiple SPF records, expired selectors, or DMARC reports going nowhere. This is the L1 entry-point service in the DRMO catalogue, designed for firms who want a written technical baseline before deciding whether to engage on the L2 Pre-Settlement BEC Audit or the L3 Pre-Settlement Shield consulting engagement.

The deliverable

• PDF report scoped to one firm email domain
• Per-control status (SPF, DKIM, DMARC) with a Red / Amber / Green rating and the underlying DNS record cited verbatim
• Plain-English explanation of what each control does and why the current setting matters
• Prioritised remediation checklist your IT provider can action directly
• Reference notes mapping each control to the relevant ARNECC Model Participation Rule security obligation
• Delivered via email within 1 business day of domain submission and payment

CTA

Run the Email Security Check — AUD $99

A single-domain productised offer. No discovery call required. Suitable for any WA conveyancing or settlement firm that wants a written baseline of its email authentication posture before settlement season, before an annual review, or before engaging on a larger DRMO assessment.

Sources

1. Australian Registrars’ National Electronic Conveyancing Council — Model Participation Rules (Version 7, January 2024): https://www.arnecc.gov.au/publications/model-participation-rules/
2. Australian Cyber Security Centre — general guidance on business email compromise: https://www.cyber.gov.au/
3. Australian Competition and Consumer Commission — Scamwatch, general guidance on payment-redirection scams: https://www.scamwatch.gov.au/

DRMO capability references:

• Email Security Check (L1 service shape, SPF/DMARC/DKIM diagnostic)
• Pre-Settlement BEC Audit (L2 service shape, single-transaction)
• Pre-Settlement Shield (L3 Shield package, consulting engagement)