Email Security Check for Mandurah Estate Planning Lawyers: SPF, DMARC and DKIM Verification to Reduce BEC Exposure

You hold wills, enduring powers of attorney, and beneficiary details for families across the Peel region. A client’s daughter emails about her late father’s estate distribution — except it isn’t her, it’s someone who watched her email get spoofed because your domain has no DMARC record. By the time the executor queries the transfer, the funds are gone and the personal information in that thread is in the wrong hands. The Email Security Check tells you whether your firm’s domain is publishing the three records that make this spoofing harder.

Why it matters now

Estate planning files concentrate exactly the categories of personal information the Privacy Act 1988 (Cth) is designed to protect: identity documents, family relationships, financial position, and in some matters health information relating to capacity. The Office of the Australian Information Commissioner administers the Privacy Act and its 13 Australian Privacy Principles, which apply to private sector organisations with annual turnover above $3 million and to some smaller organisations including those that handle health information. Australian Privacy Principle 11 requires APP entities to take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification and disclosure. Where a firm sits below the turnover threshold but holds health information for capacity assessments, it is still an APP entity. The Australian Cyber Security Centre identifies business email compromise as a leading cause of financial and data loss for Australian businesses, and email authentication (SPF, DMARC, DKIM) is on its list of recommended controls.

The 5-minute view

• The Privacy Act 1988 (Cth) is administered by the Office of the Australian Information Commissioner (OAIC) and contains 13 Australian Privacy Principles
• APP 11 requires APP entities to take reasonable steps to protect personal information from unauthorised access and disclosure
• The Notifiable Data Breaches scheme under Part IIIC of the Privacy Act requires APP entities to notify the OAIC and affected individuals of eligible data breaches
• Law firms holding health information (e.g. for capacity assessments in estate planning) are APP entities regardless of turnover
• SPF (Sender Policy Framework) tells receiving mail servers which IPs are authorised to send mail for your domain
• DKIM (DomainKeys Identified Mail) cryptographically signs outbound mail so recipients can verify it wasn’t altered
• DMARC tells receivers what to do when SPF or DKIM fail, and where to send reports — without a DMARC record at p=quarantine or p=reject, spoofed mail can pass undetected
• The Australian Cyber Security Centre publishes general guidance on email authentication at https://www.cyber.gov.au/

What DRMO does about it

The Email Security Check is a productised L1 diagnostic scoped to one domain (your firm’s primary mail domain). You submit the domain via the order form. DRMO queries the public DNS records for that domain and produces a fixed-scope assessment covering: SPF record presence, syntax, and all qualifier; DKIM selector publication and key length; DMARC record presence, policy (p=none / quarantine / reject), alignment mode, and reporting addresses; and the resulting BEC exposure profile for inbound and outbound mail flow. The review uses public DNS lookups only — no access to your mail server or mailbox content is required. The output references the relevant Australian Cyber Security Centre control mappings so that your IT provider can action remediation, and frames the findings against the “reasonable steps” expectation in APP 11.

The deliverable

• PDF report scoped to one firm mail domain
• Executive summary with a Red / Amber / Green status for SPF, DKIM and DMARC
• Per-record findings showing the actual published DNS values and the gaps against ACSC-recommended configuration
• Plain-English remediation list your IT provider can implement
• Plain-English note on how the findings relate to the “reasonable steps” obligation under APP 11 (operational support, not legal advice)
• Delivered via email within 1 business day of payment

CTA

Run the Email Security Check — AUD $99

A single-domain productised offer. No discovery call required. Suitable for any Australian estate planning practice that wants a fast read on whether its email domain publishes the three records that make BEC spoofing materially harder.

Sources

1. Office of the Australian Information Commissioner — The Privacy Act: https://www.oaic.gov.au/privacy/the-privacy-act
2. Australian Cyber Security Centre — general guidance on email authentication and business email compromise (domain root): https://www.cyber.gov.au/
3. Federal Register of Legislation — Privacy Act 1988 (Cth) (domain root): https://www.legislation.gov.au/

DRMO capability references:

• Email Security Check (L1 service shape, productised)
• Australian Privacy Principle 11 mapping (operational support, not legal advice)