Email Security Check for Bunbury Estate Planning Lawyers: SPF, DMARC and DKIM Aligned to Privacy Act Obligations

You hold the most sensitive personal information in a client’s life: wills, enduring powers of attorney, beneficiary identities, asset schedules, and the addresses of vulnerable family members. Most of that information moves through email. If an attacker can spoof your firm’s domain or quietly read your inbound mail, they can redirect a beneficiary distribution or impersonate you to an executor — and you carry the notification obligation when it happens. The Email Security Check is a one-shot diagnostic on the three authentication records that decide whether your domain can be impersonated.

Why it matters now

The Privacy Act 1988 (Cth) regulates how Australian organisations with an annual turnover of more than $3 million — and a range of smaller entities, including those handling sensitive information — handle personal information, through the 13 Australian Privacy Principles. The Office of the Australian Information Commissioner administers the Act and operates the Notifiable Data Breaches scheme, which requires APP entities to notify affected individuals and the Commissioner of eligible data breaches likely to result in serious harm. Business email compromise targeting law firms is recognised by the Australian Cyber Security Centre as a high-impact threat, and the ACCC’s Scamwatch service consistently classes payment-redirection scams against professional services among the highest-loss categories tracked. Estate practitioners sitting between testators, executors, beneficiaries, and financial institutions are a structurally attractive target: high-value transfers, long-running matters, and correspondents who may never have met you in person.

The 5-minute view

• The Privacy Act 1988 (Cth) is administered by the OAIC and contains 13 Australian Privacy Principles governing the handling of personal information by APP entities.
• APP 11 requires APP entities to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure.
• The Notifiable Data Breaches scheme under Part IIIC of the Act requires notification of eligible data breaches likely to result in serious harm to affected individuals and to the OAIC.
• SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting and Conformance) are the three open standards that determine whether an attacker can send email that appears to come from your firm’s domain.
• The ACSC publishes specific guidance recommending that organisations implement and enforce SPF, DKIM and DMARC to reduce the risk of domain spoofing and business email compromise (https://www.cyber.gov.au/).
• Misconfigured or permissive DMARC policies (p=none, missing alignment) are common findings in small-firm domains and substantially weaken the protection the standard is designed to provide.
• Domain authentication records are public; an attacker can check them in seconds before crafting an impersonation email. So can you.

What DRMO does about it

The Email Security Check is the L1 productised diagnostic in the DRMO service catalogue. You submit your firm’s primary email domain (and any aliases used for client correspondence). We run a fixed-scope review against the public DNS records for that domain covering: SPF record presence, syntax, lookup count and ~all / -all posture; DKIM selector discovery and key strength; and DMARC policy strength (p=), alignment mode, percentage coverage, and reporting addresses. The check is delivered against published ACSC guidance for email authentication and is framed against APP 11’s “reasonable steps” obligation under the Privacy Act. This is the same diagnostic that runs as the email-authentication step inside the larger Pre-Settlement and Estate Practice consulting engagements, productised here for single-domain use without requiring a discovery call. This is operational security support, not legal advice on your Privacy Act obligations.

The deliverable

• PDF report scoped to one email domain (plus aliases on the same registered name)
• Executive summary with a Red / Amber / Green status per record (SPF, DKIM, DMARC)
• Per-record findings with the raw DNS evidence cited
• Remediation checklist with the specific DNS changes required and the order to apply them
• Plain-English mapping of findings to APP 11 “reasonable steps” framing for your file
• Delivered via email within 1 business day of domain submission and payment

CTA

Run the Email Security Check — AUD $99

A single-domain productised offer. No discovery call required. Suitable for any Australian legal practice handling personal information by email — particularly sole practitioners and small estate practices in regional WA where IT is outsourced and email authentication has rarely been reviewed end-to-end.

Sources

1. Office of the Australian Information Commissioner — The Privacy Act: https://www.oaic.gov.au/privacy/the-privacy-act
2. Australian Cyber Security Centre — general guidance on email authentication and business email compromise: https://www.cyber.gov.au/
3. Australian Competition and Consumer Commission — Scamwatch (payment redirection and BEC scam categories): https://www.scamwatch.gov.au/

DRMO capability references:

• Email Security Check (L1 service shape, SPF/DMARC/DKIM diagnostic, PDF deliverable)