Email Security Check for Perth Private Client Accountants: Verify SPF, DKIM and DMARC Before a BEC Incident Becomes a Notifiable Data Breach

You handle tax file numbers, trust distributions, and the family balance sheet for private clients who do not want their financial life on the front page. One spoofed email purporting to come from your firm — asking a client to redirect a distribution to a “new” account — is enough to trigger a payment loss, a privacy complaint, and a notifiable data breach assessment in the same week. The Email Security Check is a fixed-scope diagnostic that tells you whether your firm’s outbound email is structurally easy to impersonate today.

Why it matters now

The Privacy Act 1988 (Cth) regulates how organisations with annual turnover above $3 million, and some other organisations, handle personal information, and is administered by the Office of the Australian Information Commissioner (OAIC). Private client accounting firms typically hold a high concentration of personal information — tax file numbers, identity documents, bank details, beneficiary records — much of which is regulated as sensitive information under the Australian Privacy Principles. The OAIC operates the Notifiable Data Breaches scheme, which requires APP entities to assess and, where the thresholds are met, notify eligible data breaches. Business email compromise sits at the intersection of these obligations: the Australian Cyber Security Centre identifies BEC as a recognised threat class for Australian businesses, and a successful impersonation of your firm’s domain can both cause payment loss to a client and expose personal information held in the email chain.

The 5-minute view

• The Privacy Act 1988 (Cth) applies to organisations with annual turnover above $3 million, and to some smaller organisations including those that handle tax file numbers, per the OAIC.
• The 13 Australian Privacy Principles (APPs) bind “APP entities” — most Australian Government agencies and many private sector organisations.
• The OAIC administers the Notifiable Data Breaches scheme, which can be engaged when personal information held by an APP entity is accessed or disclosed without authorisation.
• SPF, DKIM, and DMARC are open email-authentication standards published as IETF RFCs; they let receiving mail servers verify that mail claiming to come from your domain actually originates from your firm.
• Without a published DMARC policy at enforcement (p=quarantine or p=reject), a third party can send mail that appears to come from your firm’s domain to your clients with a high probability of inbox delivery.
• The Australian Cyber Security Centre publishes general guidance on BEC and on email-authentication hardening at https://www.cyber.gov.au/.
• A misconfigured SPF record (too permissive, exceeding the 10-lookup limit, or with a soft-fail terminator) materially weakens the protective value of DMARC even when DMARC is present.
• The Email Security Check assesses these three records on your firm’s primary sending domain and any look-alike domains you nominate.

What DRMO does about it

The Email Security Check (L1) is a single-domain diagnostic against your firm’s email-authentication posture. You provide the firm’s primary sending domain (and up to two additional look-alike or legacy domains). DRMO runs a fixed-scope review covering: the SPF record (syntax, lookup count, terminator, included senders), the DKIM selector(s) discoverable for the domain and their key length, and the DMARC record (policy strength, alignment mode, reporting addresses). The check identifies whether a third party could plausibly send mail that passes basic receiver-side authentication while impersonating your firm, and what record changes would close the gap. This is a productised L1 offer; it is not a penetration test, not legal advice, and not a Privacy Act compliance opinion — it is a structural diagnostic of one control layer.

The deliverable

• PDF report scoped to one primary sending domain plus up to two additional domains
• Per-record findings: SPF, DKIM, DMARC, with the raw record evidence cited
• Red / Amber / Green status against published email-authentication guidance
• A prioritised remediation list your IT provider or MSP can execute, written in DNS-record terms
• Plain-English summary your principal can read in five minutes
• Delivered via email within 2 business days of payment and domain submission

CTA

Run the Email Security Check — AUD $99

A single-domain productised offer. No discovery call required. Suitable for any Perth private client accounting firm that has not had its email-authentication records reviewed in the last 12 months, or that is preparing a broader privacy uplift program.

Sources

1. Office of the Australian Information Commissioner — The Privacy Act: https://www.oaic.gov.au/privacy/the-privacy-act
2. Office of the Australian Information Commissioner (domain root, for Notifiable Data Breaches scheme and Australian Privacy Principles guidance): https://www.oaic.gov.au/
3. Australian Cyber Security Centre (domain root, for BEC and email-authentication guidance): https://www.cyber.gov.au/
4. Federal Register of Legislation (domain root, for the Privacy Act 1988 (Cth) consolidated text): https://www.legislation.gov.au/

DRMO capability references:

• Email Security Check (L1 service shape, productised Stripe offer)