Email Security Check for Melbourne Estate Planning Lawyers: SPF, DMARC and DKIM Aligned to Privacy Act Obligations

Your estate planning practice handles some of the most sensitive personal information a client will ever share — beneficiaries, asset registers, family disputes, health directives. If a fraudster spoofs your firm’s domain to redirect an executor’s distribution payment, the first call you receive will be from a distressed beneficiary, and the second may be from the Office of the Australian Information Commissioner. The Email Security Check tells you, in one document, whether your firm’s domain is currently configured to make that spoof harder.

Why it matters now

The Privacy Act 1988 (Cth) regulates how Australian organisations with annual turnover above $3 million — and certain smaller organisations, including many legal practices that handle health information — collect, hold and disclose personal information. The Act is administered by the Office of the Australian Information Commissioner and incorporates 13 Australian Privacy Principles (APPs) that bind “APP entities.” APP 11 requires APP entities to take reasonable steps to protect personal information from misuse, interference and unauthorised disclosure. Business email compromise is one of the more common pathways through which personal information held by professional services firms is exposed: a spoofed domain, an intercepted instruction, a redirected payment. The Australian Cyber Security Centre publishes guidance on BEC at https://www.cyber.gov.au/, and email authentication (SPF, DMARC and DKIM) is among the controls it recommends to reduce domain-spoofing exposure.

The 5-minute view

• The Privacy Act 1988 (Cth) applies to most Australian legal practices via the turnover test or the health-information test for organisations providing health-related services.
• APP 11 requires APP entities to take reasonable steps to protect personal information they hold; the OAIC treats email-authentication controls as part of the reasonable-steps assessment in BEC-related matters.
• SPF (Sender Policy Framework) tells receiving servers which IP addresses are authorised to send mail from your domain.
• DKIM (DomainKeys Identified Mail) cryptographically signs outbound mail so receivers can verify it has not been tampered with in transit.
• DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receivers what to do when SPF or DKIM fails — quarantine, reject, or none — and where to send reports.
• A DMARC policy of p=none collects telemetry but does not block spoofed mail; only p=quarantine or p=reject instructs receivers to act.
• The Notifiable Data Breaches scheme under Part IIIC of the Privacy Act requires eligible data breaches to be reported to the OAIC and affected individuals.

What DRMO does about it

The Email Security Check is a fixed-scope diagnostic against a single firm domain. You submit the domain (for example, yourfirm.com.au) at checkout. DRMO performs an external review of your published DNS records covering: SPF record presence, syntax and all qualifier; DKIM selector presence and key strength; DMARC record presence, policy mode (none / quarantine / reject), alignment settings and reporting URIs; and the interaction between these three records as a receiving mail server would evaluate them. The check is purely external — no access to your mail system is required, and no personal information from client files is collected. This is the L1 productised version of the email-authentication review that runs as the first step of the Pre-Settlement Shield consulting engagement.

The deliverable

• PDF report scoped to one firm domain
• Red / Amber / Green status against SPF, DKIM and DMARC individually, and a combined posture rating
• Per-record findings with the raw DNS data quoted and the specific weakness identified
• Plain-English remediation steps your IT provider can action, ordered by priority
• A short Privacy Act framing section mapping the findings to APP 11 “reasonable steps” considerations
• Delivered via email within 1 business day of domain submission and payment

This is an operational diagnostic, not legal advice. The Privacy Act framing is provided to help you brief your IT provider and, if needed, your professional indemnity insurer.

CTA

Run the Email Security Check — AUD $99

A single-domain productised offer. No discovery call required. Suitable for any Australian legal practice that wants a documented external view of its email-authentication posture before the next OAIC enforcement cycle or PI renewal.

Sources

1. Office of the Australian Information Commissioner — The Privacy Act: https://www.oaic.gov.au/privacy/the-privacy-act
2. Australian Cyber Security Centre — general BEC and email-security guidance: https://www.cyber.gov.au/
3. Office of the Australian Information Commissioner — Notifiable Data Breaches scheme (entry point): https://www.oaic.gov.au/

DRMO capability references:

• Email Security Check (L1 service shape, productised)
• Pre-Settlement Shield (L3 Shield package — email authentication review as Step 1)