Email Security Check for Queensland Estate Planning Lawyers: SPF, DMARC and DKIM Review to Reduce BEC Exposure on Client Correspondence

You hold wills, enduring powers of attorney, family trust deeds, and the asset registers of clients who trust you with their last instructions. Most of that work moves by email — instructions, draft documents, beneficiary details, and occasionally bank account information for estate distributions. If someone spoofs your firm’s domain to a grieving family member, the first call comes to you. The Email Security Check tells you whether your domain’s outbound mail authentication makes that easier or harder for an attacker.

Why it matters now

Estate planning practices in Queensland handling personal information of clients and beneficiaries are typically caught by the Privacy Act 1988 (Cth) once turnover thresholds or health-information handling triggers apply. The Office of the Australian Information Commissioner (OAIC) administers the Act and its 13 Australian Privacy Principles, which govern how “APP entities” handle personal information. Business email compromise targeting law firms is treated by the Australian Cyber Security Centre as a high-priority threat class, and a BEC incident involving client personal information is a candidate notifiable event under the Notifiable Data Breaches scheme administered by the OAIC. Email authentication (SPF, DKIM and DMARC) is one of the practical controls the ACSC recommends to reduce the likelihood that an attacker can convincingly impersonate your firm’s domain to your own clients.

The 5-minute view

• The Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles apply to organisations with annual turnover above the threshold set out by the OAIC, and to some smaller organisations including those handling health information (OAIC, The Privacy Act).
• APP 11 requires APP entities to take reasonable steps to protect personal information they hold from misuse, interference, loss, unauthorised access, modification or disclosure.
• The Notifiable Data Breaches scheme, administered by the OAIC, requires eligible data breaches involving personal information to be notified to affected individuals and the Commissioner.
• SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting and Conformance) are the three published email authentication standards used together to reduce domain spoofing.
• A misconfigured or absent DMARC policy (p=none, missing record, or no aligned SPF/DKIM) means receiving mail servers have no clear instruction to reject mail that fraudulently uses your domain.
• The Australian Cyber Security Centre publishes guidance on BEC and on hardening email at https://www.cyber.gov.au/.
• The Email Security Check is a one-shot, external diagnostic — it inspects publicly resolvable DNS records for your firm’s primary mail-sending domain and does not require access to your mail server or mailboxes.

What DRMO does about it

The Email Security Check is the L1 productised diagnostic in the DRMO catalogue. You provide the firm’s primary mail-sending domain (and any secondary sending domains used for client correspondence). We run an external review of the published DNS records that govern email authentication: the SPF record (including lookup-count and ~all/-all posture), the DKIM selectors that can be enumerated from public mail headers and DNS, and the DMARC record (policy, alignment mode, reporting addresses). We compare findings against the email-hardening guidance published by the Australian Cyber Security Centre and flag the specific misconfigurations most often abused in BEC attempts against professional services firms. This is the same diagnostic step that begins the consultative Pre-Settlement Shield engagement, productised for self-serve use by single-domain estate practices.

The deliverable

• PDF report scoped to one primary domain (plus up to two secondary sending domains where present).
• Current state of SPF, DKIM and DMARC records as published in DNS at the time of the scan, with the raw records reproduced.
• Per-record findings with a Red / Amber / Green rating and the specific DNS change required to move each finding to Green.
• A plain-English summary your IT provider or mail administrator can action without further consulting input.
• A short note on how the findings map to APP 11 “reasonable steps” framing — not legal advice; operational support documentation only.
• Delivered via email within 1 business day of payment and domain submission.

CTA

Run the Email Security Check — AUD $99

A single-domain productised offer. No discovery call required. Suitable for sole-practitioner and small-firm Queensland estate practices that want a defensible baseline of their email authentication posture before reviewing broader Privacy Act compliance.

Sources

1. Office of the Australian Information Commissioner — The Privacy Act: https://www.oaic.gov.au/privacy/the-privacy-act
2. Office of the Australian Information Commissioner (domain root, for Australian Privacy Principles and the Notifiable Data Breaches scheme): https://www.oaic.gov.au/
3. Australian Cyber Security Centre (domain root, for BEC and email-hardening guidance): https://www.cyber.gov.au/
4. Federal Register of Legislation (domain root, for the Privacy Act 1988 (Cth) as in force): https://www.legislation.gov.au/

DRMO capability references:

• Email Security Check (L1 service shape, productised) — DRMO surface-area matrix.
• Pre-Settlement Shield (L3 Shield package) — DRMO service-packages catalogue.