An introduction to domain management

Understand how and why to manage your domain

What is domain management?

It should be easy to identify governments on the internet, and using a .gov top-level domain (TLD) shows that you’re official. The public shouldn’t have to guess whether the site they’re on or the email that hits their inbox is genuine.

A domain uniquely identifies areas on the internet, like websites or email services. For example, Digital.gov is a domain, consisting of 1) the second-level domain digital, and 2) the top-level domain .gov. Domain management is the process of overseeing and maintaining a domain or related domains so that they are consistent and safe.

Domain management and web hosting are often confused for one another. However, domain management is different from web hosting in the same way that a house is different from the street address that leads to it. A domain can be a name and a location. For example, Digital.gov. is the name of an organization, but the Digital.gov domain also serves as our web address on the internet. Web hosting, by contrast, happens only behind the scenes; as an online service, a web host provides the physical (“dedicated”) and/or virtual servers needed to publish a discoverable website on the internet.

Why is domain management important?

It’s important to make sure that domains are chosen and maintained well. Your domain name is one of the first lines of trust when it comes to interacting with your agency. If people navigating the internet can match the name of your domain with the name of your agency in such a way that the user can understand that they have found the correct place, that’s one step in establishing trust.

Managing domains is also key for security. People with malicious intent can register domain names that are similar to agency sites, and, as a result, can trick people into giving away their personal information, and more. For example, malicious actors have sought to impersonate election organizations.

When you use a .gov TLD, it increases security because the Cybersecurity and Infrastructure Security Agency (CISA) enforces multi-factor authentication on all accounts in the .gov registrar.

How to manage your domains well

Choose your domain name in a way that is consistent with your agency’s overall branding and marketing goals. Work with your communications or marketing department to select the most straightforward representation of your agency’s name.

Measure by using analytics tools to track how your domain names are performing in search engines and other online channels.

Protect your domain and your users by keeping domain registrations up-to-date and your Domain Name System (DNS) records accurate. You should also be monitoring your domain name to protect against similar but fraudulent domains. Encrypt all web traffic across your websites and “preload” all registered .gov or .mil domains as HTTPS-only for modern web browsers. Additionally, email authentication best practices make it difficult for malicious actors to successfully “spoof” (impersonate) your domain in email.

Simplify the user experience by maintaining as few domains and subdomains as possible. It can be tempting to add new domains for new projects, but keep in mind that more domains means more risk—and more to manage as your agency grows.

What can I do next?

Domain management is about more than just DNS. It’s also about ensuring a safe experience for your organization and your users. CISA provides several domain security best practices, including:

  • Add a security contact
  • Develop a vulnerability disclosure policy (VDP)

For example, having a security contact for .gov domains makes it easier for the public to tell you of a potential security issue with your online services. It is relatively easy to:

  1. Check CISA’s published domain data.
  2. In the Domain Name column, type in your domain to filter the data and display the record for your domain.
  3. Scroll right to confirm if an email for a security contact is listed.

Follow the instructions to update or add a security contact if needed.