Email Security Check for Australian Estate Planning Lawyers: SPF, DMARC and DKIM Posture Against BEC

You hold the most sensitive personal information your clients will ever share — wills, beneficiary details, asset schedules, family disputes — and most of it moves through email. If someone can impersonate your firm’s domain, they can redirect an inheritance distribution or harvest a probate file in a single afternoon. This Email Security Check tells you, in one PDF, whether your sending domain is configured to make that impersonation harder.

Hook continued — what the check answers

Three questions, one report: Is your domain publishing SPF correctly? Is DKIM signing your outbound mail? Is DMARC enforcing a policy, or is it sitting at p=none while attackers spoof you with impunity?

Why it matters now

Estate planning practices handle large volumes of personal information — including health information, financial details, and family relationships — which makes them APP entities under the Privacy Act 1988 (Cth) once turnover exceeds the threshold, and may bring them in regardless under the “health service provider” or related categories. The Office of the Australian Information Commissioner administers the 13 Australian Privacy Principles and the Notifiable Data Breaches scheme, both of which place ongoing obligations on firms to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access or disclosure. The Australian Cyber Security Centre identifies business email compromise as a high-impact threat to Australian professional services, and publishes specific guidance on email authentication (SPF, DKIM, DMARC) as a baseline control to reduce domain spoofing risk.

The 5-minute view

• The Privacy Act 1988 (Cth) applies to organisations with an annual turnover of more than $3 million and to some smaller organisations, including health service providers — many estate practices fall in scope
• Australian Privacy Principle 11 requires APP entities to take reasonable steps to protect personal information from unauthorised access and disclosure
• Under the Notifiable Data Breaches scheme administered by the OAIC, eligible data breaches involving personal information must be notified to the OAIC and to affected individuals
• BEC attacks against law firms commonly use domain spoofing — sending mail that appears to come from a partner or principal — to redirect estate distributions or extract client documents
• SPF (Sender Policy Framework) tells recipient mail servers which IPs are authorised to send mail for your domain
• DKIM (DomainKeys Identified Mail) cryptographically signs outbound messages so recipients can verify they were not altered
• DMARC ties SPF and DKIM together with a published policy (none, quarantine, or reject) instructing recipients what to do when authentication fails
• A domain published at DMARC p=none is, in practice, unprotected against spoofing — the policy is observational only

What DRMO does about it

The Email Security Check is a fixed-scope, single-domain diagnostic of your firm’s email authentication posture. You submit your primary sending domain (and up to two additional domains used for client correspondence). DRMO runs an external check against the public DNS records — SPF syntax and lookup count, DKIM selector discovery and key strength, DMARC policy and reporting addresses — then assesses the configuration against the email authentication guidance published by the Australian Cyber Security Centre. The deliverable is a plain-English PDF report showing the current state of each record, the specific weaknesses present, and the prioritised changes your IT provider should make. This is the Email Security Check (L1) entry in the DRMO service catalogue; it does not require a discovery call.

The deliverable

• PDF report covering one primary domain (plus up to two secondary domains) on a single firm
• Per-record findings for SPF, DKIM, and DMARC with the actual DNS record values cited
• Red / Amber / Green rating per record, with the underlying reasoning
• Prioritised remediation list written for handover to your existing IT or managed service provider
• Mapping of each finding to the relevant ACSC email authentication guidance
• A short section framing how the findings relate to “reasonable steps” under Australian Privacy Principle 11
• Delivered via email within 1 business day of domain submission and payment

CTA

Run the Email Security Check — AUD $99

A productised, self-serve diagnostic. No discovery call required. Suitable for any Australian estate planning practice that wants a defensible snapshot of its email authentication posture before its next privacy review, insurance renewal, or partner audit.

This report supports — but is not a substitute for — the broader operational measures required under the Privacy Act. It is an operational diagnostic, not legal advice.

Sources

1. Office of the Australian Information Commissioner — The Privacy Act: https://www.oaic.gov.au/privacy/the-privacy-act
2. Office of the Australian Information Commissioner (general regulator site, Australian Privacy Principles and Notifiable Data Breaches scheme): https://www.oaic.gov.au/
3. Australian Cyber Security Centre — general guidance on business email compromise and email authentication: https://www.cyber.gov.au/
4. Federal Register of Legislation — Privacy Act 1988 (Cth): https://www.legislation.gov.au/

DRMO capability references:

• Email Security Check (L1 service shape) — DRMO service catalogue
• SPF / DKIM / DMARC external diagnostic protocol — DRMO internal runbook