Email Authentication Check for Perth Wealth Managers: Reduce BEC Exposure on Client Correspondence

You handle high-value client portfolios. Most of your client contact runs through email — statements, instruction confirmations, fee notices, occasional one-off transfer instructions. If someone spoofs your domain and emails your clients with new payment details, the first you hear about it is when a client calls asking why their funds went to the wrong account. The Email Security Check is a one-shot diagnostic that tells you whether your domain is configured to make that kind of impersonation harder.

Why it matters now

Wealth management firms sit on personal and financial information that triggers obligations under the Privacy Act 1988 (Cth). The Office of the Australian Information Commissioner administers the Act, which applies to private sector organisations with an annual turnover of more than $3 million, and includes the 13 Australian Privacy Principles. APP 11 requires APP entities to take reasonable steps to protect personal information from misuse, interference, loss and unauthorised access. The Notifiable Data Breaches scheme under Part IIIC of the Act requires reporting of eligible data breaches likely to result in serious harm. Business email compromise — where an attacker impersonates your firm’s domain to redirect client payments or harvest data — is a recognised threat class flagged by the Australian Cyber Security Centre at https://www.cyber.gov.au/. Email authentication records (SPF, DKIM, DMARC) are a baseline technical control that makes domain impersonation materially harder.

The 5-minute view

• The Privacy Act 1988 (Cth) applies to organisations with annual turnover above $3 million, including most Perth wealth management firms (OAIC).
• APP 11 of the 13 Australian Privacy Principles requires reasonable steps to protect personal information from unauthorised access or disclosure.
• Part IIIC of the Privacy Act establishes the Notifiable Data Breaches scheme — eligible breaches likely to cause serious harm must be reported to the OAIC and to affected individuals.
• SPF (Sender Policy Framework) tells receiving mail servers which IP addresses are authorised to send mail for your domain.
• DKIM (DomainKeys Identified Mail) cryptographically signs outbound mail so receivers can verify it has not been altered.
• DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receivers what to do when SPF or DKIM fails, and can produce reports on impersonation attempts.
• A misconfigured or absent DMARC policy means an attacker can send mail that appears to come from your domain to your own clients, and most mailbox providers will deliver it.
• Email authentication is a public-facing technical control: it can be assessed externally from DNS records without access to your internal systems.

What DRMO does about it

The Email Security Check is a fixed-scope diagnostic against your firm’s primary email domain. You submit the domain name. DRMO queries the public DNS records for SPF, DKIM (on the selectors you nominate or common defaults), and DMARC, then produces a PDF report identifying which records are present, which are missing or misconfigured, and which records weaken protection (for example, a DMARC policy of p=none that monitors but does not block). The report includes a plain-English explanation of how each finding maps to APP 11’s “reasonable steps” framing and the indicators a privacy regulator or auditor would look for if a BEC incident occurred. This is the L1 self-serve entry point to the DRMO service catalogue; no discovery call is required.

The deliverable

• PDF report scoped to one email domain
• Current SPF, DKIM, and DMARC record status with the raw DNS values cited
• Red / Amber / Green status per control
• Plain-English remediation steps your IT provider or Microsoft 365 / Google Workspace administrator can action
• Mapping of findings to APP 11 “reasonable steps” language for your internal privacy register
• Delivered via email within 1 business day of domain submission and payment

CTA

Run the Email Security Check — AUD $99

A single-domain productised diagnostic. No discovery call required. Suitable for any Perth wealth management firm that wants a written, defensible record of its current email authentication posture before a client incident — or a privacy regulator — asks for one.

This door does not provide legal advice. The APP 11 framing is operational support for your existing privacy obligations; specific legal interpretation of the Privacy Act 1988 (Cth) should be obtained from your legal adviser.

Sources

1. Office of the Australian Information Commissioner — The Privacy Act: https://www.oaic.gov.au/privacy/the-privacy-act
2. Australian Cyber Security Centre — general guidance on business email compromise and email security is published at https://www.cyber.gov.au/
3. Privacy Act 1988 (Cth) — Federal Register of Legislation: https://www.legislation.gov.au/

DRMO capability references:

• Email Security Check (L1 service shape, SPF/DMARC/DKIM diagnostic, PDF deliverable)