Domain Security

5 min read

One of the most important aspects of your business digital strategy is an online domain. Having a domain for your business unlocks a whole new level of professionalism to impress current and potential clients. You can send and receive emails at your-name@example.com. You can have your marketing website at https://example.com and a web store at https://store.example.com. Access your CRM, ERP, and other business applications at https://admin.example.com/crm or any name you want! But this is a highly technical task to undertake for a business owner or manager. There are a few options to the rescue that we’ll explore, and even explain the technical process so you can do this all yourself if so inclined.

Background

A domain relies on Domain Name Services (DNS). In a very simplified version, every phone and computer gets an IP address. DNS is the internet’s version of the phone book white pages. Instead of having to memorize a bunch of numbers, we use domain names that point to those numbers. This also makes it convenient when those IP addresses change, the user wanting to visit the website won’t have the wrong number.

Securing a domain

The first thing to decide with a domain is the top level domain (TLD). Most businesses use .com, but there are many others available. Some may be region or country specific, and business need to be extremely careful if using a non-standard TLD for vanity purposes. You might even want to choose multiple TLD’s, especially if you do or plan to do business in multiple countries. These domains should redirect to your appropriate website, possibly setting i11y settings.

You’ll need to check the availability of each domain. If it’s registered with someone and you need it, then you’ll need to buy it from them. Domain names are digital real estate and the good ones can be expensive. Hopefully you can find one that isn’t prohibitively expensive. Then you can purchase them from a registrar. The instructions for each registrar are different.

Next you’ll need NS records. These are records that tell the world which servers have the authoritative answer for your DNS records. When you buy a domain from a registrar, they will usually create NS records that point at their DNS server, but these can be changed as long as they point to servers running a DNS service where you can create records.

You have a (or more) domain now. Time to get email. You can buy email inboxes from Google, Microsoft, or a private email vendor. Sometimes you can also get them from your domain registrar, and they’ll usually make it very clear as you’re purchasing if they do. After purchasing, they’ll give you instructions on DNS records that you need to create for your private domain to actually work. MX and TXT records to be more specific. The TXT record is for SPF, which tells all of the mail servers which domain is allowed to send email on behalf of your domain. Sidenote, please don’t try to run your own email server until you learn enough about running your own email server. Once you do, you’ll realize why it’s a much better idea not to do it.

You have your very own business email now! But at this point your emails will go straight to spam. That’s because you haven’t set up SPF, DKIM or DMARC yet. SPF is a TXT record that includes the domain names and/or IP addresses of the servers that are allowed to send mail on behalf of your domain. You need to get the DKIM record from your email provider. A private key is used to sign emails that go out from them (sent by you). The DKIM record contains the public key that the receiver’s email provider uses to verify that the email is coming from the actual domain it claims to be sent from. The final DMARC record is another TXT record that specifies a policy of what the recipient should do with emails that don’t properly pass these checks.

The next step in domain security is setting up DNSSEC. This is cryptography used by DNS servers to prevent anyone from spoofing DNS records from your domain. You create a key known as a Key-Signing-Key (KSK) that you upload to your domain registrar. Again, instructions here vary greatly for each provider.

Now you need to set up A and AAAA records for your web applications. For a domain of example.com this is something like name.example.com. Of course you can also create the for a main example.com website.

The final step to domain security is SSL/TLS. When computers talk to each other, the server should have an SSL certificate and key. The certificate needs to be signed by a root certificate that has been trusted by the client. Providers sell them, but LetsEncrypt has created a services that creates them for free and is trusted, so there is really no reason to buy an SSL certificate anymore. You can (and should) also create CAA records in DNS to prevent anyone else from creating certificates in your domain.

Problems

One major problem is that instructions and procedures are different across different vendors. It can be difficult to even find the correct instructions. If done incorrectly, you might cause all of your emails to be sent to spam or even rejected outright. You might expose an SSL private key that could allow attackers to intercept what would normally be secure communications.

Conclusion

As explained, domain security is highly technical. There are many steps and multiple vendors that you may need to use. Even when using a single vendor you will have to manually configure some settings and even finding the correct guide can be hard. But the importance of domain security cannot be unstated. This could prevent phishing attacks against your employees, having bad actors spoof your websites, and allow your emails to be received in the inbox where people see them and not in spam.

Previous Docs