DMARC monitoring for law firms
Weekly plain-English monitoring that shows your firm every attempt to send email as your domain - before a client transfers money to the wrong account.
Start your free health checkUK data · UK servers·UK GDPR compliant·ICO registered·Professionally insured·Cyber Essentials in progressRegulatory alignment - SRA cyber guidance
The Solicitors Regulation Authority's published cyber guidance recommends DMARC as an email security control for law firms. SealedMail's weekly reports and health check certificates are formatted as audit-ready evidence: dated, plain English, and ready to file with your compliance documentation or share with your PI insurer. Source: SRA cyber-security guidance
The risk: Friday afternoon fraud
In conveyancing, the attack is so routine it has a name. Late in the week, as completion approaches, a client receives an email that appears to come from their solicitor: the bank details for the deposit have changed. The money goes to a criminal's account, and by Monday it's gone. The Solicitors Regulation Authority (SRA) reports that email modification fraud - altering payment details mid-transaction - is the single most common cyberattack reported to it, accounting for 68% of the cybercrime reports it receives.
The uncomfortable part: when the fraudulent email uses your actual domain - not a look-alike - your client has no realistic way to spot it. And without DMARC monitoring, neither do you. The first you hear of it is the phone call after the money has moved.
Where the SRA stands
The SRA does not mandate DMARC by name. What it does require, through the Code of Conduct for Firms, is effective governance, risk management and the protection of client money and confidential information - and the SRA's published cyber security guidance recommends DMARC as an NCSC-recommended control against email spoofing. Firms must also report serious breaches to the SRA and the ICO, and solicitors have faced disciplinary action and personal financial consequences following email-enabled fraud.
In practice, that means a firm that has never looked at its DMARC reports will find it hard to evidence that email impersonation risk is being managed at all.
What a SealedMail report shows a law firm
Every Monday, in plain English: who sent email as your domain last week, from where, and whether it was legitimate. If a server in another country sent two hundred messages claiming to be your firm and they were delivered because your DMARC policy is still at "monitor only", your report says exactly that - what it is, what it means, and what kind of action it points to. If everything is quiet and authenticated, it says that too, in a couple of paragraphs your COLP can read in two minutes and file.
Each report doubles as documentation: when your PI insurer's renewal questionnaire or a client's panel audit asks how email impersonation is monitored, the answer is sitting in your inbox, dated and consistent, week after week.
Why law firms choose SealedMail
No IT department needed. Reports are written for practice managers and compliance officers, not sysadmins. The only technical step is a one-time DNS change your domain provider can do for you.
Evidence on demand. Weekly reports formatted to serve as audit and due-diligence documentation - for the SRA, your insurer, or a lender panel.
A named UK expert. One person runs SealedMail and answers your emails the same working day. Your supplier due-diligence file gets a name, not a ticket system.
£49 per domain, per month·No contract - cancel any time·UK-based·Support Mon-Fri 09:00-17:00
See where your firm stands
The free health check audits your domain's full email authentication setup - DMARC, SPF, DKIM, MTA-STS, TLS-RPT and blacklist status - and sends you a scored, plain-English certificate. No obligation, no sales call.
