Email Authentication Check for Perth Firm Principals: Evidence Your Domain Is Hardened Against BEC Spoofing

You signed off on the firm’s information security policy last quarter. Your IT provider says email is “secure.” But if a client receives a payment-redirection email that appears to come from your domain, the first question from your insurer, your professional body, and possibly a regulator will be: what authentication did you have in place, and can you prove it? The Email Security Check is a one-shot diagnostic that gives you a defensible record of your domain’s SPF, DKIM, and DMARC posture on a specific date.

Why it matters now

ISO/IEC 27001:2022 is the international standard for information security management systems, and it explicitly requires organisations to identify information security risks and apply controls to treat them. Email-borne impersonation — the mechanism behind almost every business email compromise (BEC) attack on professional services firms — sits squarely inside that scope. The Australian Cyber Security Centre publishes specific guidance recommending SPF, DKIM, and DMARC as baseline domain authentication controls, and the ACCC’s Scamwatch consistently ranks payment-redirection scams among the highest-loss categories for Australian businesses. For a firm principal, the practical question is no longer “are we doing email security?” but “can I evidence the controls if challenged?”

The 5-minute view

• ISO/IEC 27001:2022 requires an information security management system (ISMS) covering people, policies, and technology, with documented risk treatment (ISO/IEC 27001:2022, published by the International Organization for Standardization).
• The 2022 edition’s Annex A control set includes controls relevant to email integrity, access management, and protection against malware — all directly engaged by BEC threat scenarios.
• SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance) are the three open standards used to authenticate outbound email and instruct receiving mail servers how to handle messages that fail authentication.
• The Australian Cyber Security Centre recommends all three controls be configured, with DMARC moved progressively from p=none (monitor) to p=reject (enforce) once legitimate sending sources are mapped.
• A domain with no DMARC record, or a DMARC record stuck at p=none, provides little practical defence against an attacker spoofing your firm’s domain in a payment-redirection email.
• BEC indicators most often present on professional-services targets include lookalike domains, weak or absent DMARC enforcement, and SPF records that authorise more senders than the firm actually uses.
• The Email Security Check produces a date-stamped record of your domain’s current authentication posture — the artefact your insurer or auditor will ask for.

What DRMO does about it

The Email Security Check is a productised L1 diagnostic scoped to a single firm domain. You submit the domain (e.g. yourfirm.com.au). We run an external, non-intrusive check against public DNS records covering: the SPF record (presence, syntax, lookup count, authorised senders), DKIM selectors discoverable for the domain, the DMARC record (presence, policy, alignment mode, reporting addresses), and supporting records such as MX and the absence of common misconfigurations. The check does not require access to your mail system, your firm’s network, or any credentials. It is an external posture snapshot of what the public internet can see about your domain’s email authentication — the same view an attacker has when deciding whether your domain is spoofable.

The output is mapped to ISO/IEC 27001:2022 Annex A control families so the report is usable evidence inside an ISMS risk register.

The deliverable

• PDF report (typically 6-8 pages) scoped to one firm domain
• Red / Amber / Green status for each of SPF, DKIM, and DMARC
• Plain-English explanation of each finding, written for a firm principal rather than for IT
• Mapping of findings to relevant ISO/IEC 27001:2022 Annex A control families
• Recommended remediation actions in priority order, with the specific DNS record changes required
• Date-stamped record suitable for filing in your firm’s ISMS evidence pack or providing to your professional indemnity insurer
• Delivered via email within 1 business day of domain submission and payment

CTA

Run the Email Security Check — AUD $99

A single-domain productised offer. No discovery call required. Suitable for any Perth firm principal who needs a defensible, date-stamped record of email authentication posture against ISO/IEC 27001-aligned controls.

For ongoing protection across the settlement and trust-account workflow, the Email Security Check is also Step 1 of the broader DRMO Pre-Settlement Shield engagement.

Sources

1. International Organization for Standardization — ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems — Requirements: https://www.iso.org/standard/27001
2. Australian Cyber Security Centre — general guidance on email authentication and business email compromise: https://www.cyber.gov.au/
3. Australian Competition and Consumer Commission — Scamwatch, payment-redirection and business email compromise scam category: https://www.scamwatch.gov.au/

DRMO capability references:

• Email Security Check (L1 service shape, productised PDF deliverable)
• Pre-Settlement Shield (L3 Shield package, Step 1)