Domain Security Checklist

## Why Domain Security Matters Your domain name is the front door to your entire online presence. Lose control of it and you lose your website, your email, and the trust your customers place in your brand. Domain attacks are not theoretical: high-profile hijackings have redirected millions of users, and phishing campaigns built on look-alike domains cost businesses billions of dollars every year. The good news is that most domain attacks are preventable. This checklist walks you through every layer of protection available to domain owners, from the basics you should have in place on day one to the advanced controls that protect mission-critical domains. Use Domain Registration Checklist to check your setup, and return to this guide whenever you register a new domain or change registrars. ## Layer 1: Registrar Account Security Your Domain Registrar account is the master key to your domain. If an attacker gets into your account, they can change your DNS, transfer your domain away, or delete it entirely. **Enable two-factor authentication (2FA) immediately.** Every major registrar supports it. Use an authenticator app (TOTP) rather than SMS, which can be intercepted via SIM-swapping attacks. See Two-Factor Authentication for Domain Accounts for a full walkthrough. **Use a unique, strong password.** Never reuse a password from another service. A password manager makes this easy. The compromise of an unrelated service should never cascade to your domain account. **Set a registrar account PIN or verbal password.** Many registrars allow a secondary PIN required for phone support — a defence against social engineering attacks where an attacker calls in pretending to be you. **Audit authorized users.** If your account allows multiple team members, review who has access. Remove former employees and contractors immediately. Assign the minimum permissions each person needs. **Use a dedicated email address for domain registration.** An address that is not published anywhere reduces your attack surface. If your registrar account email is compromised, attackers can reset your password via that inbox. ## Layer 2: Domain Locks Domain locks are registrar- and registry-level controls that prevent unauthorized transfers and changes. **Registrar Lock (Transfer Lock):** Enabled by default at most registrars, this prevents your domain from being transferred to another registrar without you explicitly unlocking it first. Confirm it is on via WHOIS Lookup Tool — look for `clientTransferProhibited` in the EPP status codes. **Registry Lock:** A premium, out-of-band lock offered by some TLD registries and high-end registrars. Changes require manual verification — often by phone or video call — making automated attacks practically impossible. See Registry Lock: The Ultimate Domain Protection for details on how to obtain it. **Deletion Lock:** `clientDeleteProhibited` prevents accidental or malicious deletion of the domain. Confirm this status flag is set. ## Layer 3: DNSSEC DNSSEC (DNS Security Extensions) adds a cryptographic chain of trust to your domain's DNS records. Without it, attackers can intercept DNS queries and point your visitors to fake servers — a technique called DNS spoofing or cache poisoning. Check whether your TLD registry supports DNSSEC (most modern TLDs do), then enable it in your registrar's DNS settings. The registrar handles the key management for most users. See DNSSEC: Why You Should Enable It for a step-by-step explanation. ## Layer 4: SSL/TLS SSL/TLS certificates encrypt traffic between your server and visitors. Every domain serving a website should have HTTPS enabled. Beyond the padlock icon, HTTPS is a Google ranking signal and a trust indicator for users. Enable HSTS (HTTP Strict Transport Security) on your web server to force browsers to always connect over HTTPS, preventing downgrade attacks. Certificate Authority Authorization (CAA) DNS records restrict which certificate authorities can issue certificates for your domain, blocking attackers from obtaining a fraudulent certificate. See SSL/TLS and Domain Security for full configuration guidance. ## Layer 5: Email Authentication Email sent from your domain can be spoofed unless you configure authentication records. Attackers use spoofed emails for phishing, fraud, and brand damage. Three DNS records form the foundation of email authentication: - **SPF** — Lists the mail servers authorized to send email for your domain. - **DKIM** — Adds a cryptographic signature to outgoing messages. - **DMARC** — Tells receiving mail servers what to do when SPF or DKIM fails, and sends you reports. Start with SPF and DKIM, then add a DMARC record in monitoring mode (`p=none`) before moving to enforcement (`p=quarantine` or `p=reject`). The full setup is covered in Email Security: SPF, DKIM, and DMARC Explained. ## Layer 6: WHOIS Privacy WHOIS records historically exposed your name, address, phone number, and email to anyone who looked up your domain. This data is harvested by spammers and used by attackers to craft targeted phishing attempts. Enable WHOIS privacy protection (also called WHOIS masking or ID Shield) at your registrar. Under GDPR and similar regulations, many registrars now redact personal data by default for registrants in certain jurisdictions, but it is worth confirming the status. See WHOIS Privacy: Security vs. Transparency for the trade-offs. ## Layer 7: Monitoring and Alerts Protection is not complete without visibility. **Enable registrar email alerts** for any account login, DNS change, or domain status change. Most registrars offer these in notification settings. **Monitor for look-alike domains** that could be used for phishing. Services and tools can alert you when domains resembling yours are registered. See Domain Threat Monitoring for a full approach. **Check domain expiry dates** and set auto-renew plus calendar reminders well in advance. An expired domain is immediately vulnerable to registration by a third party. See Expired Domain Risks: What Happens When a Domain Lapses for what happens when a domain lapses. ## Quick-Reference Checklist | Control | Status to Confirm | |---|---| | 2FA on registrar account | Enabled (TOTP preferred) | | Strong, unique password | Set via password manager | | Registrar lock | `clientTransferProhibited` in WHOIS | | Deletion lock | `clientDeleteProhibited` in WHOIS | | DNSSEC | DS record in parent zone | | HTTPS / SSL cert | Valid, not expired | | HSTS | `Strict-Transport-Security` header present | | CAA record | Restricts certificate issuers | | SPF record | Published in DNS | | DKIM | Selector key published | | DMARC | `p=quarantine` or `p=reject` | | WHOIS privacy | Registrant data masked | | Expiry alerts | Auto-renew on + calendar reminder | | Login / change alerts | Email notifications enabled | Work through this list when you register a new domain, after any registrar change, and at least once a year as a scheduled review. A few hours of setup can prevent weeks of recovery work.