DMARC for law firms: protecting client money from email fraud

The most expensive cybercrime in the legal sector does not involve breaking into anything. It involves an email that looks like it came from your firm, sent to a client at the worst possible moment - typically a Friday afternoon before completion, with "updated" bank details for the deposit.

The Solicitors Regulation Authority (SRA) has reported that email hacks of conveyancing transactions are the most common cybercrime in the legal sector, with £7m of client losses reported in a single year (SRA risk outlook, 2016 figures, via Legal Futures). The SRA's own analysis found the majority of cyber fraud in the sector is "Friday afternoon fraud", and email modification fraud accounts for a large share of cases. A 2018 NCSC and Law Society report found three in five firms had experienced a security incident, with one partner receiving more than 11,500 phishing emails in a single month.

The consequences land on the firm, not just the client. The Solicitors Disciplinary Tribunal has fined solicitors over these incidents - in one case £26,000, after more than £290,000 of client money was transferred to a fraudster.

This post explains where Domain-based Message Authentication, Reporting and Conformance (DMARC) fits into that picture - honestly, including what it does not do.

How the fraud works

In a typical conveyancing diversion, the criminal needs one thing: an email to the client that appears to come from the firm. There are three ways to get it:

1. Exact-domain spoofing. The email genuinely shows yourfirm.co.uk in the From address. No hacking required - email's original design lets anyone claim any sender address, unless the domain owner has published controls that say otherwise.
2. Look-alike domains. The criminal registers yourf1rm.co.uk or yourfirm-conveyancing.co.uk and hopes nobody looks closely.
3. Account takeover. The criminal compromises a real mailbox - at the firm or at the client - and joins the genuine email thread.

DMARC addresses the first of these completely, and gives you intelligence on attempts. It does not address the second or third - anyone telling you otherwise is overselling. But the first category is the cheapest and most scalable attack, which is exactly why it is common: a fraudster can spoof an unprotected domain at scale, for free, with no compromise of any system.

What DMARC does for a law firm

DMARC lets your firm publish a public instruction to every receiving mail server: if an email claims to be from our domain and cannot prove it, reject it. Once your policy reaches enforcement (p=quarantine or p=reject), a spoofed email from yourfirm.co.uk simply does not reach the client's inbox.

Just as importantly, DMARC sends you reports. Every day, providers such as Google and Microsoft report back on every message they saw claiming to be from your domain - where it came from and whether it authenticated. For a law firm, those reports answer questions your compliance file currently cannot:

• Is anyone, anywhere, sending email pretending to be us?
• Are our own systems - case management, e-signature platforms, billing software - sending email that authenticates correctly, or is legitimate client correspondence at risk of landing in spam?
• Can we evidence, in writing, that we monitor this?

That last point matters more than it used to. Professional indemnity insurers increasingly ask about email authentication controls at renewal, and client due-diligence questionnaires from commercial clients routinely include them.

What the SRA actually says

Precision matters here, because overstated compliance claims help nobody. The SRA does not mandate DMARC. What is true, and verifiable:

• The SRA Code of Conduct for Firms requires effective governance, risk and compliance arrangements (paragraphs 2.1 and 2.5), and the confidentiality duties in paragraphs 6.3 and 6.4 - alongside Principle 7 - underpin firms' information security obligations.
• The SRA's published cyber security guidance and thematic reviews explicitly reference DMARC as an NCSC-recommended control.
• The Law Society's cyber security guidance points firms in the same direction.

So the honest framing is: DMARC is a recommended control within SRA and Law Society cyber guidance, and implementing and monitoring it is consistent with your obligations under the Code. If a regulator or insurer ever asks what reasonable steps the firm took against email impersonation, a DMARC policy at enforcement plus weekly monitoring reports is a concrete, documented answer.

What it does not do - said plainly

• It does not stop look-alike domain fraud. Client education and transaction verification procedures (calling on a known number before transferring funds) remain essential.
• It does not stop account takeover or thread hijacking. Strong authentication on mailboxes addresses that.
• It does not guarantee deliverability of your legitimate email, although fixing the authentication failures DMARC reporting reveals usually improves it.

DMARC is one layer - the layer that removes the cheapest attack entirely and gives you visibility you otherwise lack.

Where most firms actually are

In our experience, a typical small firm's domain falls into one of three states: no DMARC record at all; a record at p=none added by a web developer years ago, with reports going nowhere; or a record whose reporting address points at the NCSC's Mail Check service, which was retired on 31 March 2026 and no longer receives anything.

All three states look fine from the inside. All three provide no protection and no visibility. The starting point is simply finding out which state your domain is in - and if you have a DMARC record sitting at p=none, read Why DMARC p=none is not protecting you next.

A practical first step

SealedMail's Free Domain Health Check audits your firm's SPF, DKIM, DMARC, MTA-STS, TLS-RPT, BIMI and blacklist status, and emails you a clear, scored certificate you can put straight into your compliance file. No sign-up, no obligation, no sales call.

If the firm then wants the ongoing monitoring handled, SealedMail receives and interprets your DMARC reports and sends a weekly plain-English summary - written for a practice manager or COLP, not an IT department - for £49 per domain per month. For the wider picture on how these frauds operate, see Business email compromise: what UK firms need to know and our plain-English guide, What is DMARC?.