Essential Eight, ISM and Email Domain Security: Where SPF, DKIM and DMARC Fit for Australian Organisations

Australian organisations increasingly ask about SPF, DKIM and DMARC in the same conversation as Essential Eight, the ASD Information Security Manual, cyber insurance, client security questionnaires and supplier risk.

That is understandable. Email is a major source of business risk, and domain spoofing is one of the easiest ways to abuse trust in a brand. But the relationship between email authentication and Australian cyber guidance needs to be described carefully.

DMARC is not one of the Essential Eight controls. SPF, DKIM and DMARC do not create Essential Eight compliance. They are not a replacement for MFA, patching, backups, endpoint hardening, logging, incident response or user training.

What they do provide is a practical layer of email domain security. They help an organisation control who is authorised to send mail for its domain, reduce direct domain spoofing, improve governance of third-party sending platforms and produce evidence that can support broader cyber maturity.

For Australian SMEs, professional services firms, regulated businesses and growing organisations, that makes SPF, DKIM and DMARC worth doing properly.

Solway Web Consulting provides email domain security audits and DMARC consulting for Australian organisations that need practical, independent review without inflated compliance claims.

Why email domain security matters in Australian cyber risk management

Email is where business identity is exercised every day. Staff send quotes. Finance teams send invoices. Partners share documents. Clients confirm instructions. Suppliers update details. Patients, tenants, customers and referrers rely on messages that appear to come from trusted domains.

That trust can be abused in several ways:

• direct spoofing of the organisation's real domain
• lookalike domains
• compromised Microsoft 365 or Google Workspace accounts
• malicious forwarding rules
• unauthorised third-party platforms
• old website forms or legacy systems
• fake invoice and payment change messages

SPF, DKIM and DMARC focus mainly on the first category: unauthorised use of a domain in email authentication and the visible From address. They also improve visibility over legitimate sending services.

For an Australian SME, that visibility is valuable. Many businesses do not have a current map of who sends email for their domain. A review often finds old CRMs, former web hosts, marketing tools, accounting platforms and booking systems still present in DNS or DMARC reports.

Email domain security turns that unknown into a controlled inventory.

Where Essential Eight fits

The Essential Eight is a prioritised set of mitigation strategies developed by the Australian Signals Directorate. ASD describes the Essential Eight as a baseline designed to make it harder for adversaries to compromise internet-connected IT networks.

The eight strategies are:

• patch applications
• patch operating systems
• multi-factor authentication
• restrict administrative privileges
• application control
• restrict Microsoft Office macros
• user application hardening
• regular backups

DMARC is not in that list.

That distinction matters. A consultant or vendor should not claim that publishing a DMARC record makes a business Essential Eight compliant. Essential Eight maturity involves specific controls and assessment expectations. Email authentication may support a broader risk reduction program, but it is not a substitute for the Essential Eight.

The more accurate statement is this: email domain security complements Essential Eight-style cyber hygiene. It reduces one form of email abuse while the Essential Eight addresses other common compromise paths such as unpatched systems, weak authentication, excessive privileges and poor backup resilience.

Official reference:

• ASD Essential Eight explained

Where the ISM fits

The Australian Signals Directorate's Information Security Manual, or ISM, is broader than the Essential Eight. ASD describes the ISM as a cyber security framework that organisations can apply using their risk management framework to protect information technology and operational technology systems from cyber threats.

The ISM is especially relevant for government and larger organisations, but its risk-based thinking can also help SMEs and suppliers that need more structured security governance.

SPF, DKIM and DMARC are best viewed through that lens. They are not a complete framework. They are controls that support:

• secure configuration of email and DNS
• governance over third-party sending services
• monitoring of unauthorised sending attempts
• protection of business communications
• reduction of spoofing opportunities
• evidence for supplier and management discussions

For a small business, "ISM-aligned" should not mean pretending to run a government-grade compliance program. It should mean applying sensible risk management: know your assets, configure them securely, monitor important signals and document decisions.

Official reference:

• ASD Information Security Manual

Where SPF, DKIM and DMARC fit

SPF, DKIM and DMARC are email authentication controls.

SPF publishes which servers are authorised to send mail for a domain's envelope sender. It is useful for sender inventory and basic authorisation, but SPF alone does not reliably protect the visible From address and has a 10 DNS lookup limit.

DKIM signs outgoing mail with a cryptographic signature. The receiving server checks the signature using a public key in DNS. DKIM depends on correct selectors and the signing domain. Microsoft 365, Google Workspace and third-party platforms often need separate DKIM configuration.

DMARC ties SPF and DKIM to the visible From domain and lets the domain owner publish a policy. The policy can monitor only with p=none, ask receivers to quarantine failing mail with p=quarantine, or ask receivers to reject failing mail with p=reject.

For compliance-aware buyers, the most important word is alignment. A message can pass SPF or DKIM for a vendor's domain but still fail DMARC for the organisation's visible From domain. A proper review checks alignment, not just whether individual checks say "pass".

Microsoft and Google both provide guidance on SPF, DKIM and DMARC for their platforms:

• Microsoft email authentication guidance
• Google Workspace email authentication guidance

What DMARC does not solve

DMARC is useful, but overselling it creates false confidence.

DMARC does not stop every phishing email. It does not stop messages sent from lookalike domains. It does not stop a criminal who has compromised a real staff mailbox. It does not replace MFA. It does not patch endpoints. It does not train staff to verify payment changes. It does not back up business data. It does not secure the domain registrar account by itself.

It also does not guarantee delivery. Good authentication helps mail systems trust legitimate mail, but spam filtering still considers reputation, content, recipient engagement and other signals.

DMARC should be part of a wider control set:

• phishing-resistant MFA for important accounts
• secure configuration of Microsoft 365 or Google Workspace
• restricted administrator privileges
• device patching
• endpoint protection
• tested backups
• secure payment change procedures
• staff awareness
• domain registrar MFA and recovery controls
• monitoring for suspicious mailbox rules

For account protection, Solway Web Consulting also provides hardware MFA and passkey setup.

How domain spoofing creates business risk

Domain spoofing matters because it exploits existing trust.

Imagine a client receives an invoice from an address that appears to be your real accounts mailbox. The branding looks right. The signature looks familiar. The timing is plausible. The only change is the bank account number.

Or a supplier receives a message that appears to come from a managing partner asking for an urgent document. Or a clinic patient receives a payment link. Or a builder's client receives a staged payment request.

If the domain has no DMARC enforcement, some receiving systems may have less evidence to reject the fake message. If the domain has p=reject and legitimate senders are aligned, direct spoofing becomes harder.

That does not eliminate business email compromise, but it reduces one important attack path.

Why this matters for SMEs, professional services and regulated businesses

Australian SMEs often have a high-trust email footprint without enterprise security staffing.

Accountants, bookkeepers, law firms, migration agents, clinics, allied health providers, consultants, architects, mortgage brokers, builders and agencies all send information that customers treat as authoritative. Many also use multiple SaaS platforms that send on their behalf.

Regulated and professional environments have additional reasons to care:

• client confidentiality
• payment integrity
• privacy obligations
• professional reputation
• supplier assurance
• cyber insurance questions
• contractual security expectations

SPF, DKIM and DMARC give these organisations a practical way to improve domain governance without starting with a large security program.

Microsoft 365, Google Workspace and third-party senders

Most Australian SMEs use Microsoft 365 or Google Workspace for staff email. That is only the starting point.

A proper email domain security review should check:

• SPF record syntax and lookup count
• DKIM status for Microsoft 365 or Google Workspace custom domains
• DMARC record syntax, reporting and policy
• whether the visible From domain aligns
• website forms and SMTP configuration
• Xero, MYOB or other accounting platforms
• Mailchimp or email marketing tools
• HubSpot, Salesforce or CRM tools
• Shopify, WooCommerce or ecommerce systems
• booking, appointment and helpdesk platforms
• parked domains and unused domains

Third-party senders are often where DMARC projects become operational rather than theoretical. Each platform may require its own verification and DNS records. Some platforms are better configured on subdomains. Some legacy senders should be removed entirely.

What to ask a DMARC, SPF and DKIM consultant

When comparing consultants or vendors, ask practical questions.

Can they explain SPF, DKIM and DMARC without hiding behind acronyms? Can they show the difference between pass and alignment? Can they review DNS safely before changing records? Can they configure both Microsoft 365 and Google Workspace? Can they identify third-party senders from business process and DMARC reports? Can they provide a written report that a business owner can understand?

Also ask what they will not claim.

A credible consultant should not claim that DMARC alone prevents phishing. They should not claim that SPF alone stops spoofing. They should not recommend p=reject immediately without monitoring. They should not sell "Essential Eight compliance" on the basis of a DMARC record.

Good consulting is measured. It finds the real senders, fixes authentication, monitors reports and moves policy in stages.

Vendor checklist for Australian organisations

Use this checklist when selecting a DMARC, SPF and DKIM consultant or vendor:

• Can they review DNS safely and explain proposed changes before making them?
• Can they handle Microsoft 365 and Google Workspace?
• Can they identify third-party sending services from both interviews and DMARC data?
• Can they interpret DMARC aggregate reports?
• Can they produce a plain-English audit report?
• Can they support staged policy enforcement from none to quarantine to reject?
• Do they understand Australian SME risk, including invoice fraud and professional services workflows?
• Do they avoid over-selling "compliance"?
• Can they advise on parked domains and defensive DMARC?
• Can they coordinate with web developers, MSPs and SaaS vendors?
• Can they explain residual risks after DMARC enforcement?

This checklist is useful whether you choose a local Sydney DMARC consultant, a national provider or an enterprise DMARC platform.

Building a practical roadmap

A practical roadmap does not need to be complicated.

First, review the domain and DNS. Confirm current SPF, DKIM and DMARC state. Check whether records are valid and whether SPF is within lookup limits.

Second, identify every sender. Include Microsoft 365 or Google Workspace, websites, CRMs, accounting platforms, email marketing, booking systems, helpdesks and legacy tools.

Third, enable or fix DKIM for the main mail platform and key third-party senders.

Fourth, publish DMARC at p=none with reporting if it is not already in place. Use the reports to validate what is sending.

Fifth, remediate alignment failures. This may require DNS changes, platform verification, SMTP changes or supplier coordination.

Sixth, move gradually to p=quarantine and then p=reject once legitimate senders are aligned.

Seventh, keep monitoring. Review DMARC and DNS whenever the business changes mail platforms, websites, CRMs, marketing tools or accounting systems.

For a detailed rollout path, see DMARC for Australian SMEs: moving from none to quarantine and reject safely. For plain-English protocol background, see SPF, DKIM and DMARC explained for Australian businesses.

Final thoughts

SPF, DKIM and DMARC belong in Australian cyber risk discussions, but they should be positioned honestly.

They are not the Essential Eight. They are not a full ISM implementation. They are not a complete compliance solution. They are practical email domain security controls that help reduce spoofing risk, improve governance over authorised senders and provide useful evidence for management, clients and suppliers.

For many Australian organisations, that is exactly the right kind of improvement: specific, measurable and commercially useful.

Solway Web Consulting provides Email Domain Security Audits for Australian organisations, including SPF, DKIM, DMARC, Microsoft 365, Google Workspace, third-party sender review and staged enforcement advice.

Ask about an Email Domain Security Audit Book a cyber security review