Email Security Check for Sydney Estate Planning Lawyers: SPF, DMARC and DKIM Hardening Against BEC

You hold the most sensitive personal information a client will ever share — wills, family trust structures, beneficiary details, sometimes account numbers for distributions. An impersonator only needs to send one convincing email from what looks like your firm’s domain to redirect a beneficiary payment or extract a draft will. The Email Security Check tells you whether your sending domain can actually be spoofed today, and what to fix first.

Why it matters now

The Privacy Act 1988 (Cth) applies to organisations with annual turnover above $3 million and to many smaller practices that handle sensitive information, including health and financial data routinely held in estate files. The Office of the Australian Information Commissioner administers the Act, the 13 Australian Privacy Principles, and the Notifiable Data Breaches scheme — meaning an unauthorised disclosure of personal information that is likely to result in serious harm must be assessed and, where the threshold is met, reported to the OAIC and to affected individuals. Business email compromise targeting law firms is a documented threat class: the Australian Cyber Security Centre publishes specific BEC guidance at https://www.cyber.gov.au/, and unauthenticated sending domains are one of the most common technical preconditions for successful impersonation.

The 5-minute view

• The Privacy Act 1988 (Cth) regulates how APP entities handle personal information; estate files routinely contain personal, financial and health information that falls within its scope
• Australian Privacy Principle 11 requires APP entities to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure
• The Notifiable Data Breaches scheme, administered by the OAIC, requires assessment and notification of eligible data breaches likely to result in serious harm
• SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting and Conformance) are the three open standards used to authenticate email and prevent domain spoofing
• A domain without an enforcing DMARC policy (p=reject or p=quarantine) can be spoofed in BEC attacks because receiving mail servers have no instruction to reject unauthenticated mail claiming to be from your firm
• Misconfigured SPF records (e.g. +all, excessive includes, or DNS lookup limits exceeded) silently fail to protect the domain even when present
• The Email Security Check is a one-shot diagnostic that reports the current state of your authentication records and the specific configuration changes required to reach enforcement

What DRMO does about it

The Email Security Check is a productised L1 diagnostic against a single firm domain. You submit the domain name. We run a fixed-scope external review covering: the published SPF record (syntax, mechanism count, DNS lookup limit, qualifier), the DKIM selector(s) published on the domain (key presence, key length, rotation indicators visible externally), and the DMARC record (policy, percentage, alignment mode, reporting addresses). We then compare the configuration against ACSC’s published email authentication guidance and identify the specific changes needed to move the domain to an enforcing posture without breaking legitimate mail flow. This is the entry-level diagnostic within the DRMO Email Security service line and is delivered without a discovery call.

The deliverable

• PDF report scoped to one firm sending domain
• Executive summary with a Red / Amber / Green rating for SPF, DKIM and DMARC
• Per-record technical findings with the current DNS values cited
• Prioritised remediation list (DNS change, owner, sequencing note) suitable for handover to your IT provider
• Notes on how the hardened state supports APP 11 “reasonable steps” evidence in the event of an OAIC enquiry
• Delivered via email within 1 business day of domain submission and payment

CTA

Run the Email Security Check — AUD $99

A single-domain productised offer. No discovery call required. Suitable for any Sydney estate planning practice that has not had its SPF, DKIM and DMARC records externally reviewed in the past 12 months.

Sources

1. Office of the Australian Information Commissioner — The Privacy Act: https://www.oaic.gov.au/privacy/the-privacy-act
2. Australian Cyber Security Centre — general guidance on business email compromise and email authentication: https://www.cyber.gov.au/
3. Federal Register of Legislation — Privacy Act 1988 (Cth): https://www.legislation.gov.au/

DRMO capability references:

• Email Security Check (L1 service shape, productised)
• Surface area matrix entry: estate-lawyers/sydney/privacy-act-bec