Prevent hijacks, phishing, and outages with a modern defense stack: registry locks, DNSSEC, DMARC enforcement, redundancy, and clear incident playbooks.
Enable registry lock on premium domains so nameservers, auth codes, and contacts cannot be changed without high-trust verification from the registry.
Turn on DNSSEC (sign zones and publish DS records) to prevent cache poisoning. Verify after enabling; many outages are misconfigured DS records.
Require hardware keys for registrar and DNS logins. Create separate roles for editing zones vs billing, and disable shared accounts.
Publish SPF/DKIM correctly, monitor DMARC reports for 30-60 days, then move to p=quarantine or p=reject to block spoofing.
| Control | Action | Cadence |
|---|---|---|
| WHOIS privacy & contacts | Keep org/legal email current; use distribution list, not a single user. | Quarterly |
| Auth codes & transfer lock | Rotate auth codes; keep transfer lock on except during planned moves. | Quarterly |
| Zone change review | Require approvals for NS/MX/CNAME edits; log who/when/why. | Every change |
| Backups | Export zone files and store encrypted off-provider. | Weekly |
| Uptime + DNS monitors | Monitor A/AAAA/CNAME resolution, SSL validity, and MX health. | 24/7 |
Document an emergency rollback: previous zone snapshot, provider contacts, and a comms template to inform customers if records are tampered with.
Publish a single SPF record that includes all senders; remove ~all/ptr. Enable DKIM for every sending service (marketing, product, support) and rotate keys yearly.
Start with p=none to collect reports, then move to p=quarantine and finally p=reject once alignment is clean. Add a reporting address you actually monitor.
Names.Center delivers premium domains with registry lock, DNSSEC, DMARC, SSL, and a rollback plan so you launch without risk.