Email Security Check for WA Estate Planning Lawyers: SPF/DMARC/DKIM Review to Reduce BEC Exposure on Client Correspondence

You hold the most sensitive personal information a client ever hands over: wills, beneficiary details, asset schedules, family trust structures, enduring power of attorney instruments. Most of it moves through your firm by email. If your sender domain has not been hardened against spoofing, an attacker can impersonate your firm to clients — or impersonate clients to you — and there is no record on your servers that they ever did. The Email Security Check is a fixed-price diagnostic that tells you what state your firm’s email authentication is actually in.

Why it matters now

The Privacy Act 1988 (Cth) applies to organisations with an annual turnover above $3 million and to some smaller entities, including most health service providers and businesses that trade in personal information. The Office of the Australian Information Commissioner administers the Act and its 13 Australian Privacy Principles, which govern how “APP entities” handle personal information — including the obligation under APP 11 to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access or disclosure. Estate planning files are saturated with personal information that falls squarely inside this obligation. The Australian Cyber Security Centre identifies business email compromise as one of the most financially damaging cyber threats facing Australian businesses, and email sender authentication (SPF, DKIM, DMARC) is the baseline control the ACSC recommends to make impersonation of a firm’s domain materially harder.

The 5-minute view

• The Privacy Act 1988 (Cth) is administered by the Office of the Australian Information Commissioner and is the primary federal privacy statute in Australia.
• The Act applies to organisations with annual turnover above $3 million and to certain smaller organisations; many Australian law firms are APP entities under the Act.
• Australian Privacy Principle 11 requires APP entities to take reasonable steps to protect personal information from unauthorised access, disclosure, and misuse.
• The Notifiable Data Breaches scheme under Part IIIC of the Privacy Act requires eligible data breaches involving likely serious harm to be notified to the OAIC and to affected individuals.
• Business email compromise commonly relies on spoofing a trusted sender domain or registering a near-identical lookalike domain to deceive a recipient.
• SPF, DKIM, and DMARC are the three DNS-published email authentication standards that, when correctly configured, allow receiving mail servers to detect and reject spoofed mail purporting to come from your domain.
• A misconfigured or absent DMARC policy (e.g. p=none, or no record at all) means receiving servers will generally deliver spoofed mail to your clients without any visible warning.

What DRMO does about it

The Email Security Check is a productised L1 diagnostic that examines the public DNS configuration of your firm’s primary sending domain against current ACSC and industry guidance for email authentication. We query your published SPF record (presence, syntax, lookup count, alignment with actual sending sources), your DKIM selectors (presence, key length, signing posture), and your DMARC record (presence, policy strength, alignment mode, reporting endpoints). We then map each finding to the practical BEC risk it creates — for example, a p=none DMARC policy means your domain can be spoofed without rejection, and a +all SPF qualifier means any sender on the internet can claim to be you. The check is scoped to your firm’s primary domain and is delivered without a discovery call.

The deliverable

• PDF report covering the SPF, DKIM, and DMARC posture of one nominated sending domain
• Per-record findings with the raw DNS values inspected and the specific weakness identified
• Plain-English risk rating (Red / Amber / Green) per control, with the BEC scenario each weakness enables
• Prioritised remediation checklist suitable to hand to your IT provider or managed services partner
• Cross-reference to APP 11 “reasonable steps” framing so the report can sit on file as evidence of a control review
• Delivered via email within 2 business days of payment

CTA

Run the Email Security Check — AUD $99

A single fixed-price diagnostic. No discovery call required. Suitable for a sole practitioner, a small estate planning practice, or a larger firm wanting a quick external read on its current email authentication posture before commissioning broader remediation.

Sources

1. Office of the Australian Information Commissioner — The Privacy Act: https://www.oaic.gov.au/privacy/the-privacy-act
2. Australian Cyber Security Centre — general guidance on business email compromise and email authentication is published at https://www.cyber.gov.au/

DRMO capability references:

• Email Security Check (L1 service shape, SPF/DMARC/DKIM diagnostic, AUD $99)