Email authentication in Australian law firms

A national scan of 252 independent firms, June 2026

When a property settles, money moves on the strength of an email. The buyer's conveyancer is sent the trust account details, transfers the funds, and the matter completes. If someone can send an email that appears to come from the firm, carrying new account details, the money goes to them instead, and by the time anyone notices, the settlement has failed and the funds are gone. Whether a given firm's domain can be used to send that email is not guesswork. It is a matter of public record, and it can be checked from the outside.

So I scanned the email authentication of 252 independent law firms, across every state and territory, in June 2026. 149 of them, 59 percent, publish nothing that would stop someone forging mail in their name. A forged "the trust account details have changed" email from any of those firms would reach the client looking entirely legitimate, because the firm's domain does nothing to reject it.

Open to forgery means one of two things: the firm publishes no DMARC record at all, leaving the domain completely unprotected, or it publishes DMARC set to p=none, which monitors and reports but blocks nothing. Of the 149, 77 have no record and 72 sit at p=none, which is the more deceptive of the two, because it reads as protection on paper while a spoofed sender still arrives. Only the 103 firms at p=quarantine or p=reject actually stop the forgery. A further 14 publish neither an SPF nor a DMARC record, open on both counts.

The gap is national, and it is uneven.

Share of firms open to forgery, by state, highest to lowest. The vertical marker is the 59% national rate. * NT, TAS and ACT have smaller samples.

The Northern Territory is widest, with thirteen of sixteen firms open, and the ACT narrowest, at eight of twenty-seven. Both are smaller jurisdictions, along with Tasmania, so read the extremes as indicative rather than exact. The larger states tell the steadier story: Queensland, Western Australia and Victoria all sit close to two in three.

Email authentication of 252 Australian law firms by state, June 2026. "Open" is no enforcing DMARC (no record or p=none); "Wide open" is no SPF or DMARC at all.
State	Firms	Open	No DMARC	p=none	Enforcing	Wide open
NT	16	13	9	4	3	0
QLD	46	33	16	17	13	3
WA	30	21	10	11	9	2
VIC	32	21	10	11	11	4
SA	43	26	11	15	17	2
TAS	16	9	5	4	7	0
NSW	42	18	13	5	24	3
ACT	27	8	3	5	19	0
National	252	149	77	72	103	14

The scan reads only public DNS, the same records any mail server checks and any attacker can read, for 252 independent law firms across all eight states and territories, in June 2026. A firm counts as protected only at p=quarantine or p=reject. No firm is named, because the point is the shape of the problem, not a list of targets.

Email authentication is the control that fails silently. Nothing bounces, nobody is told, and a firm has no way of knowing its domain is the one carrying the forged settlement email. The records sit in public DNS the whole time. You can read your own firm's in about a minute, and if they need work, that is what the deliverability service is for.