BuchananBurton
Update – October 2025
Over a month has passed since I first published the information below, and I have received responses from both Buchanan Burton and the Law Society of Scotland.
The only good news is that the response I received from Buchanan Burton was properly DKIM-signed, so at least they are now correctly authenticating both SPF and DKIM. Thank you for that.
That still leaves a myriad of TLS servers with serious issues and the complete absence of any DMARC policy.
Then we come to the Law Society of Scotland. In their response, they didn’t explicitly acknowledge that I was complaining about them. They seemed to be focused on any complaint against a solicitor. They have a DMARC policy of ‘none’, which is ineffective in protecting the Law Society of Scotland from cyber abuse. This is especially disappointing given that they are the professional body and regulator for solicitors in Scotland. Their DMARC policy hasn’t changed; it remains set to ‘none’. They even have some crude cybersecurity advice on their website, which, whilst correct, is probably too vague to be of much use. It certainly doesn’t seem to be helping them in relation to DMARC.
The fundamental point here is that whoever owns an internet domain name is responsible for its configuration. If an IT Support company is administering the domain name, they may well advise on how it should be configured, but they are not responsible. The IT Support company isn’t accepting terms and conditions, such as those associated with the domain name registration, or with terms and conditions associated with accepting card payments associated with that domain name. The domain owner is!
I will continue to monitor the situation until it improves.
Original Post – September 2025
I have an issue with BuchananBurton solicitors in East Kilbride because of their poorly configured email.
When I approached them as a client, I made it clear that it was on the understanding that they fixed their email. I have advised them both face-to-face and in writing of the issues, and after more than six months of trying to get them to fix things, I am resorting to making my feelings publicly known.
Being entirely fair, they have managed to fix their SPF record, which had a typo, which completely broke SPF, namely, it had ‘-al‘ instead of the correct ‘-all‘.
I’m sorry, but I expect better from legal firms.
Let’s start by looking at the National Cyber Security Centre analysis of their email configuration:
The first thing this tells us is that, finally, they have a green tick for SPF.
However, they haven’t even attempted to create a DMARC record. Why does this matter? Because without a DMARC record, they have no protection against malicious actors abusing their domain and spoofing their email. Additionally, as of April 2025, it has become a mandatory PCI-DSS (Payment Card Industry – Data Security Standard) requirement for any company accepting card payments.
Now, looking further into the TLS section of the report shows a complete lack of any housekeeping. Let me summarise. There are eight servers configured for Microsoft Office 365 email. This matches up with the SPF record defined, which only references Microsoft. While that is well and good, that cannot be said for the other sixteen servers configured. They vary from being ‘unable to resolve’ to ‘unable to connect’ to ‘invalid certificates’. This isn’t just untidy; it’s an entirely needless security risk, showing utter indifference.
One thing that doesn’t appear in the NCSC report is the status of the DKIM signing. Every email I have received from them has been DKIM signed by buchananburton.onmicrosoft.com
Not only is this plain wrong, but it also breaks DKIM alignment. It is also about to be actively discouraged by Microsoft, and not a moment too soon.
These are not difficult to resolve issues. Given that most cybersecurity incidents start with a malicious email, this is so disappointing.
The Law Society of Scotland has a web publication titled ‘An introductory guide to email account security’, dated October 2022. I would have to sympathise with small legal firms confronted with this, as I find it less than helpful. Nowhere does it mention SPF, DKIM, or DMARC. The closest it gets is point 5 under Top tips to help defend against email attacks, which says ‘Domain records. The end of your email, @acme.com, is called the domain. There are important records that need to be set in the domain control panel to avoid criminals easily spoofing your address.‘ Given that the first DMARC specification was publicly released in 2012, became RFC7489 in 2015, and has been official guidance for all UK government services since 2016, simply referencing ‘Domain records‘ seems somewhat remiss to me.
Note: At the time of writing, the Law Society of Scotland has a DMARC record defined in DNS, but it has a policy=none, which effectively renders it useless in the fight against spoofing and doesn’t comply with PCI-DSS requirements for accepting card payments. See the current status as assessed by the National Cyber Security Centre.