Email Security Check for Perth Family Offices: Verify SPF, DMARC and DKIM Before a BEC Incident Becomes a Notifiable Breach

You run a small, discreet office. Two or three staff, a principal, a handful of trusted external advisors, and a mail domain that has quietly handled correspondence about property, trust distributions, and offshore holdings for years. You have never tested whether that domain can be spoofed. The Email Security Check is a one-shot diagnostic that tells you, in writing, whether an attacker can send email that looks like it came from your principal — and whether the controls the Australian Cyber Security Centre recommends are actually in place.

Why it matters now

The Privacy Act 1988 (Cth) applies to private-sector organisations with an annual turnover of more than $3 million, and the Office of the Australian Information Commissioner notes that some other organisations are also captured. Most family offices managing material assets fall inside that scope, which brings with it the 13 Australian Privacy Principles and the Notifiable Data Breaches scheme. Business email compromise is one of the most common vectors by which personal information held by a small office is exposed: an attacker who can spoof or hijack the office’s mail domain can extract beneficiary details, identity documents, and financial instructions, and that loss can meet the “eligible data breach” threshold requiring notification. The Australian Cyber Security Centre publishes guidance on hardening email against spoofing at https://www.cyber.gov.au/, and SPF, DKIM and DMARC are the three published authentication mechanisms that determine whether a recipient mail server will accept a forged message as legitimate.

The 5-minute view

• The Privacy Act 1988 (Cth) covers organisations with annual turnover above $3 million, and some smaller organisations, as published by the Office of the Australian Information Commissioner.
• The 13 Australian Privacy Principles (APPs) set out how APP entities must handle personal information, including security obligations under APP 11.
• The Notifiable Data Breaches scheme requires APP entities to notify the OAIC and affected individuals of eligible data breaches.
• Business email compromise is a recognised threat class published by the Australian Cyber Security Centre; family offices are structurally attractive targets because of the volume of personal and financial information they hold relative to staff numbers.
• SPF, DKIM and DMARC are the three DNS-published email authentication mechanisms that determine whether a forged message claiming to come from your domain will be accepted by recipient mail servers.
• A misconfigured or absent DMARC record is one of the most common preconditions for successful domain-spoofing BEC attacks.
• The Email Security Check is a fixed-scope diagnostic that reports the live status of these three controls on your mail domain.

What DRMO does about it

The Email Security Check is a productised L1 diagnostic delivered against a single mail domain. You submit the domain. We query the public DNS records, parse the SPF, DKIM and DMARC configurations as they currently exist, and assess them against the published guidance maintained by the Australian Cyber Security Centre. The output is a short PDF report stating, for each of the three mechanisms: whether the record is present, whether it is correctly formed, what an attacker could currently do with the domain, and the specific DNS changes your IT provider would need to apply to close any gaps. This is the same domain-authentication review that opens the Pre-Settlement Shield engagement, sold separately for offices that want a single defensible artefact before committing to a larger scope.

The deliverable

• PDF report scoped to one mail domain
• Per-mechanism status (SPF / DKIM / DMARC) with the underlying DNS records cited
• Plain-English summary of what an attacker can currently do with the domain
• Specific remediation steps formatted for handover to your IT provider
• Mapping to APP 11 (security of personal information) for your records
• Delivered via email within 1 business day of domain submission and payment

CTA

Run the Email Security Check — AUD $99

A single-domain productised offer. No discovery call required. Suitable for any Perth family office that has not had its SPF, DKIM and DMARC configuration independently reviewed in the last 12 months, and that holds personal information about beneficiaries, principals, or counterparties.

Sources

1. Office of the Australian Information Commissioner — The Privacy Act: https://www.oaic.gov.au/privacy/the-privacy-act
2. Australian Cyber Security Centre — general guidance on email security and business email compromise: https://www.cyber.gov.au/
3. Federal Register of Legislation — Privacy Act 1988 (Cth): https://www.legislation.gov.au/

DRMO capability references:

• Email Security Check (L1 service shape, productised diagnostic)
• Pre-Settlement Shield (L3 Shield package, domain-authentication review as opening step)