10,588 Australian domains analysed. Most fail basic email authentication. [2026 Report]
June 2026 Sector Report

3 in 4 Australian conveyancing firms have nothing stopping a criminal from sending email in their name

We scanned 260 licensed conveyancing and settlement firms across WA and Victoria in June 2026. 76.9% can be impersonated by email today — a key technique in settlement payment-redirection fraud.

3 in 4
can be impersonated by email today
56.5%
have no DMARC protection at all
1 in 10
fully block impersonation (p=reject)
260
licensed firms scanned, June 2026
$166.8 million

lost to payment-redirection scams in Australia in 2025

Payment redirection was Australia's second-costliest scam category in 2025, according to the ACCC's National Anti-Scam Centre — $166.8 million of the $2.18 billion Australians reported losing to scams that year. And property settlements are where it bites hardest: a single redirected deposit is often a six-figure loss.

The play is simple. A criminal sends your client an email that looks like it comes from your firm — same name, same address — with "updated" trust account details a few days before settlement. The client pays. The money is gone, usually unrecoverable. The client's life savings, your firm's name on the email.

The technical term is email spoofing: sending an email that appears to come from someone else's address. It works because, by default, nothing in email checks that the sender is who they claim to be. A standard called DMARC closes that gap — it lets your domain tell the world's mail servers "reject anything claiming to be us that we didn't send." It is free, it is invisible to your clients, and 76.9% of the firms we scanned don't have it doing its job.

What we found

Of the 260 licensed firms we scanned, 56.5% have no DMARC record at all — their domain says nothing about who may send email in its name. Another 20.4% have DMARC switched to "monitor only" (p=none), which observes impersonation without stopping it. Together that is 76.9% of the sector — 3 in 4 firms — effectively open to impersonation today.

Only 10% enforce the policy that actually blocks spoofed mail (p=reject), with a further 13.1% at the halfway setting (p=quarantine). For comparison, across the 10,586-domain national dataset behind our State of DMARC in Australia research, 39.1% of organisations enforce — conveyancing trails the national average at 23.1%. The sector entrusted with the largest transfers of ordinary Australians' money is less protected than the average Australian organisation.

Open to impersonation

76.9% conveyancing firms
60.9% national baseline

No DMARC at all

56.5% conveyancing firms
28.6% national baseline

By state

Western Australia

154 firms
Open to impersonation
71.4%
No DMARC record
47.4%
Enforcing (quarantine or reject)
28.6%

Victoria

106 firms
Open to impersonation
84.9%
No DMARC record
69.8%
Enforcing (quarantine or reject)
15.1%

"Open to impersonation" means the domain has no DMARC record or has DMARC set to monitor-only (p=none) — in both cases, receiving mail servers are not told to reject mail that fails authentication. Aggregates only: this report names no firm and publishes no per-firm data. Aggregate data (JSON).

Is your firm one of the 3 in 4?

It takes about 10 seconds to check. Enter your firm's web domain — the part after the @ in your email address — and our scanner reads the same public records we used for this report. Free, no signup, and your result is not published anywhere.

Check my firm's domain

Methodology & responsible disclosure

Who we scanned. The cohort is currently licensed conveyancing and settlement firms drawn from two public government registers: Western Australia's settlement agent licence register (DEMIRS Online Licence Search) and Consumer Affairs Victoria's register of licensed conveyancers. For each licensed firm we identified its web domain and verified the website's content actually belongs to that firm before including it; firms without a discoverable, verifiable website are not in the cohort. That produced 260 firms (154 WA, 106 VIC).

How we scanned. Each domain was checked in June 2026 with DMARC Busta's scanner using publicly available DNS records only — DMARC, SPF, and DKIM. This is the same information any mail server on the internet reads before deciding whether to trust an email. No intrusion, penetration testing, or email sending of any kind was performed.

What we will not publish. No firm is named in this report, and no per-firm data is published or downloadable — aggregates only. We will not provide the list, including on request. Any firm can check its own standing in seconds with the free scanner; industry bodies are welcome to contact us for a briefing on the aggregate findings.

You run settlements. We'll run this.

Fixing this doesn't require an IT department. DMARC Busta sets up the records, watches them, and moves your domain to DMARC enforcement automatically — you don't interpret reports or touch DNS. Most firms reach enforcement within weeks, without changing how anyone works.