Two of Three Escrow Domains Let Anyone Send As Them. The Check Takes Two Minutes.
Two of three escrow companies have no DMARC record, so anyone can send email from their exact address. Here is the free two-minute check.

I checked the email domain of every company that attended the last general EIC meeting for a record called DMARC. Sixty-eight percent had none.
Here is what that means. Anyone, anywhere, can send an email showing that company's exact address in the From line, and most receiving mail systems will deliver it. Not a look-alike domain. The exact address.
The fair thing first: this is not carelessness. Nothing in your inbox tells you DMARC is missing. No client ever asks about it. That 68 percent includes offices I would trust with my own closing. It is a setting nobody turned on, because nobody knew there was a setting.
Your office moves other people's money on emailed instructions, and your address is the one a buyer trusts. This piece ends with a check you can run before lunch and a fix your IT provider can finish in an afternoon. Both are free.
What DMARC is
When an email arrives claiming to be from yourcompany.com, the receiving server has to decide whether to believe it. DMARC is how your domain answers. It is a public record that names the servers allowed to send as you, and says what to do with mail that fails: deliver it, junk it, or refuse it.
No record means no answer, so the server delivers. This is how the classic scam starts. The buyer gets "updated wire instructions" from what reads as their escrow officer's real address, and nothing was hacked. Your name was available.
Check yourself in two minutes
Go to mxtoolbox.com/dmarc.aspx and type your domain, yourcompany.com, no "www," no email address.
Three possible results:
No DMARC record. Anyone can send as you.
A record with p=none. You are watching spoofed mail go by, not refusing it. A fine first step. Not a finished one.
p=quarantine or p=reject. Spoofed mail gets junked or bounced. You are ahead of two-thirds of the room.
While you are there, run the offices you wire with most. When someone wears a partner's address, the email lands in your inbox, not theirs.
The fix
There is no software to buy. Microsoft 365 and Google Workspace both support this. It is a settings change. Forward this article to whoever runs your email with one sentence:
"Please set up SPF, DKIM, and DMARC on our domain. Start DMARC at p=none to monitor, then move to p=reject once the reports look clean."
That sentence is the whole project. An afternoon of setup, a few weeks of monitoring, done.
The honest reading
DMARC guards the people receiving mail in your name more than it guards your own inbox. It will not stop a fraudster who registers yourcompany-escrows.com, and it does nothing if someone gets into a real mailbox. Verbal confirmation at a known number, suspicion of last-minute changes, trained staff, all of that stays.
What it ends is one trick: mail carrying your exact address. That is the cheapest trick in the playbook, and it only works on domains that never said no.
The check takes two minutes. The fix takes an afternoon.
Two out of three of us have a domain that will vouch for anyone. Yours can be off that list by the end of the week.
Sources and boundaries
The 68 percent figure is my own check: the companies attending the last general EIC meeting, run through MXToolbox's DMARC lookup. It is a snapshot of one room, not a census of California escrow. If I had your domain wrong, call me and I will recheck it. DMARC is defined in RFC 7489; how strictly receiving systems enforce a policy varies by mail provider.
Sebastian Heyneman is the founder of Veto and serves on the board of the Orange County Escrow Association and on EIC committees. sebastianheyneman@tryveto.com.
One page in the file before money moves.
Your office decides. Veto records what was reviewed, what stayed open, and who reviewed it.