Email Authentication Check for Fremantle Estate Planning Lawyers: SPF, DKIM and DMARC Aligned to Privacy Act Obligations

You handle wills, enduring powers of attorney, and testamentary trusts. Your inbox holds beneficiary identification documents, asset schedules, and trustee instructions — personal information that, if intercepted or impersonated, exposes both your clients and your firm. An attacker who spoofs your firm’s domain to redirect a distribution payment doesn’t need to breach your system; they only need your domain to lack basic email authentication. This check tells you, in plain terms, whether it does.

Why it matters now

The Privacy Act 1988 (Cth) regulates how organisations handle personal information, with the 13 Australian Privacy Principles administered by the Office of the Australian Information Commissioner. Estate planning files routinely contain sensitive personal information about clients and beneficiaries, and the Notifiable Data Breaches scheme requires entities covered by the Act to assess and notify eligible breaches. Email is the most common vector for unauthorised access to that information. The Australian Cyber Security Centre publishes guidance on email authentication (SPF, DKIM, DMARC) as a baseline control against domain spoofing and business email compromise, and ScamWatch tracks payment-redirection scams targeting professional services as a high-loss category. For a Fremantle estate practice, missing or misconfigured email authentication makes domain impersonation cheaper for an attacker — and harder for the recipient (a bank, a beneficiary, an executor) to detect.

The 5-minute view

• The Privacy Act 1988 (Cth) and the Australian Privacy Principles apply to organisations with annual turnover above $3 million, and to some smaller entities including those handling health information — many estate practices either meet the threshold or handle qualifying information categories
• The Notifiable Data Breaches scheme, administered by the OAIC, requires assessment and notification of eligible data breaches involving personal information
• SPF (Sender Policy Framework) tells receiving mail servers which IP addresses are authorised to send mail for your domain
• DKIM (DomainKeys Identified Mail) cryptographically signs outbound mail so recipients can verify it has not been altered in transit
• DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receivers what to do when SPF or DKIM fails, and reports back on impersonation attempts
• Missing or weak DMARC policy (p=none instead of p=quarantine or p=reject) is one of the most common findings on professional-services domains and a known precondition for BEC
• An email authentication check is a one-shot diagnostic against your firm’s primary sending domain — it does not require access to your mail server, only the public DNS records

What DRMO does about it

The Email Security Check is a productised L1 diagnostic against the public DNS records of your firm’s primary sending domain. We query the SPF, DKIM, and DMARC records, evaluate them against the Australian Cyber Security Centre’s published configuration guidance, and document what an attacker attempting to spoof your domain would currently encounter. The output identifies misconfigurations (overly permissive SPF includes, missing DKIM selectors, p=none DMARC policy, absent reporting addresses) and lists the specific DNS record changes needed to bring the domain to a stronger baseline. This is the same diagnostic that runs as Step 1 of the DRMO Pre-Settlement Shield and Retainer engagements, productised for single-domain use without a discovery call. It is operational support for your information-handling controls; it is not legal advice on Privacy Act compliance.

The deliverable

• PDF report scoped to one primary sending domain
• Current SPF, DKIM, and DMARC record values with plain-English interpretation
• Red / Amber / Green status per record, with the specific weakness identified
• Recommended DNS record changes, written so your IT provider or domain registrar can implement them directly
• Notes on alignment with ACSC email authentication guidance and relevance to Privacy Act information-handling obligations
• Delivered via email within 1 business day of payment

CTA

Run the Email Security Check — AUD $99

A single-domain productised offer. No discovery call required. Suitable for any Fremantle estate planning practice that wants a documented baseline of its email authentication posture before reviewing wider information-handling controls.

For ongoing protection across all client matters, see the DRMO Retainer (consultative; book a discovery call).

Sources

1. Office of the Australian Information Commissioner — The Privacy Act: https://www.oaic.gov.au/privacy/the-privacy-act
2. Office of the Australian Information Commissioner — guidance on the Notifiable Data Breaches scheme and Australian Privacy Principles, published at https://www.oaic.gov.au/
3. Australian Cyber Security Centre — guidance on email authentication (SPF, DKIM, DMARC) and business email compromise, published at https://www.cyber.gov.au/
4. Australian Competition and Consumer Commission — Scamwatch guidance on payment redirection and business email compromise scams, published at https://www.scamwatch.gov.au/

DRMO capability references:

• Email Security Check (L1 service shape, SPF/DMARC/DKIM diagnostic)
• Pre-Settlement Shield (L3 Shield package) — Email Security Check is Step 1