Prevent hijacks, phishing, and outages with a modern defense stack: registry locks, DNSSEC, DMARC enforcement, redundancy, and clear incident playbooks.
Enable registry lock on premium domains so nameservers, auth codes, and contacts cannot be changed without high-trust verification from the registry.
Turn on DNSSEC (sign zones and publish DS records) to prevent cache poisoning. Verify after enabling; many outages are misconfigured DS records.
Require hardware keys for registrar and DNS logins. Create separate roles for editing zones vs billing, and disable shared accounts.
Publish SPF/DKIM correctly, monitor DMARC reports for 30-60 days, then move to p=quarantine or p=reject to block spoofing.
| Control | Action | Cadence |
|---|---|---|
| WHOIS privacy & contacts | Keep org/legal email current; use distribution list, not a single user. | Quarterly |
| Auth codes & transfer lock | Rotate auth codes; keep transfer lock on except during planned moves. | Quarterly |
| Zone change review | Require approvals for NS/MX/CNAME edits; log who/when/why. | Every change |
| Backups | Export zone files and store encrypted off-provider. | Weekly |
| Uptime + DNS monitors | Monitor A/AAAA/CNAME resolution, SSL validity, and MX health. | 24/7 |
Document an emergency rollback: previous zone snapshot, provider contacts, and a comms template to inform customers if records are tampered with.
Publish a single SPF record that includes all senders; remove ~all/ptr. Enable DKIM for every sending service (marketing, product, support) and rotate keys yearly.
Start with p=none to collect reports, then move to p=quarantine and finally p=reject once alignment is clean. Add a reporting address you actually monitor.
Domain hijacking is the unauthorized transfer of a domain name to another registrar or registrant. It's more common than most domain owners realize — and the consequences are catastrophic: loss of email, website downtime, loss of search rankings, and in some cases permanent loss of the domain. Here's how attacks work and how to prevent each vector:
The most common attack. A bad actor calls registrar support claiming to be the account owner, often using leaked personal data to pass security checks. They request an auth code or contact email change. Prevention: Enable registry lock (requires multi-step in-person or hardware-key verification at the registry level, not just the registrar), use a shared team email (not individual) for WHOIS contact, and enable all available security notifications.
If the email address on your registrar account is compromised, an attacker can trigger password resets and take control. Prevention: Use a dedicated domain management email (e.g., [email protected]), never the same address you use for newsletters or public contact. Enable MFA on that inbox using hardware keys, not SMS.
Attackers corrupt resolver caches to redirect queries for your domain to malicious servers. Victims see the correct URL in their browser but are served attacker-controlled content. Prevention: Enable DNSSEC to cryptographically sign your zone. Verify DNSSEC is working correctly at dnssec-analyzer.verisignlabs.com — a misconfigured DS record is worse than no DNSSEC because it causes NXDOMAIN for legitimate users.
Forgetting to renew a domain — even briefly — allows competitors or bad actors to register it. Prevention: Enable auto-renewal on all critical domains, set renewal reminders 90 days before expiry, and set up domain monitoring alerts. Keep credit card payment methods current on registrar accounts.
Most guides cover SPF and DMARC. Here are the advanced DNS settings that enterprise-grade domain owners implement but rarely discuss publicly:
Certificate Authority Authorization (CAA) records restrict which CAs can issue TLS certificates for your domain. Without CAA, any CA can issue a cert — including rogue ones. Add: 0 issue "letsencrypt.org" or your preferred CA. Also add 0 issuewild ";" to block wildcard certs unless you explicitly need them.
MTA-STS forces sending mail servers to use TLS when delivering to your MX records. DANE (DNS-based Authentication of Named Entities) goes further by binding TLS certificates to DNS using TLSA records. Together they prevent man-in-the-middle attacks on your inbound email.
BIMI displays your brand logo in Gmail and other clients that support it, increasing visual trust for recipients. Requires DMARC at p=quarantine or p=reject, a Verified Mark Certificate (VMC) from DigiCert or Entrust, and a BIMI TXT record pointing to your SVG logo hosted at a specific path.
HTTP Public Key Pinning is deprecated. Modern replacement: Subresource Integrity (SRI) hashes for CSS/JS, combined with a strong Content Security Policy. Use the Report-To header to receive CSP violation reports via a service like report-uri.com — invaluable for detecting injection attacks early.
Speed is critical. Every hour of downtime means lost revenue, damaged relationships, and compromised email delivery. Keep this playbook saved offline (since your domain's email may be the attack target):
| Minute | Action | Contact |
|---|---|---|
| 0–15 | Confirm hijack via WHOIS, DNS lookup, and registrar panel. Screenshot everything for evidence. | Team leads |
| 15–30 | Call registrar's abuse/security line (not general support). Request an emergency hold on the domain. | Registrar abuse team |
| 30–60 | File ICANN dispute (UDRP if applicable). Contact hosting and CDN to take defensive action. | Legal counsel |
| 1–4 hours | Notify customers via alternate channels (social, SMS, backup email). Deploy status page. | Communications lead |
| 4–24 hours | Work with registrar and registry on transfer reversal. Document all communications. | Legal + Registrar |
| Post-recovery | Full security audit. Enable all locks missed during initial setup. Rotate all credentials. | Security team |
Key pre-work: Save your registrar's abuse phone number in your team's emergency contacts. Save a zone file export. Create a rollback runbook before you need it.
Manual checks aren't enough for mission-critical domains. These tools provide continuous monitoring and alerting:
Names.Center delivers premium domains with registry lock, DNSSEC, DMARC, SSL, and a rollback plan so you launch without risk.
Editor's picks for domain investors and web entrepreneurs
DotCom Secrets
By Russell Brunson. The underground playbook for growing your company online.
View on Amazon →Building a StoryBrand
By Donald Miller. Clarify your message so customers will listen.
View on Amazon →Zero to One
By Peter Thiel. Notes on startups, or how to build the future.
View on Amazon →As an Amazon Associate, we may earn from qualifying purchases. This does not affect our editorial recommendations.