Modern domain registration
April 17, 2023
What is needed to setup a domain for a modern organization? Just buying a domain from a registrar is not enough.
You have to:
- Decide wether you will use your registrar for DNS record management or you will use a different DNS provider (e.g. Cloudflare or Microsoft).
- Select a hosting provider where your website code will be deployed. Or deploy it to your own servers.
- Of course, the website has to be developed as well but that’s out-of-scope for this post.
- Add an
CNAMEDNS record to point to the location of your website.
- Ensure that your hosting provider gives you an SSL certificate for your domain. Or generate/buy your own from a different provider and upload that to your hosting provider.
- Ensure that there is a redirect (on the hosting provider level) or
CNAMErecord (on the DNS provider level) to automatically go from
wwwprefix was cool in 1999, but in 2023 even browsers hide it by default.
- Ensure that you redirect from port 80 to 433. Nobody wants to visit a website that does not show a lock icon in 2023.
- Does your DNS provider support DNSSEC? Domain hijacking is not a myth. You better enable
DNSSEC. A couple of DNS records need to be added.
- The domain registrar stores information about you that is publicly visible. Things like your email address or physical address may appear in the records of public
WHOISdatabases that registrars are mandated to support. If it contains just official company data, then it’s probably OK. But quite often those records reflect private data of company owners. That’s not OK. On the other hand, many registrars support
WHOISinformation protection services. For extra fee, of course.
- Then you have to select a mailing provider.
- Add MX records to point to your mailing provider.
- To fight spammers who pretend to send e-mails on your behalf, you have to add an
SPFrecord that contains a list of allowed IP addresses from which you expect to send e-mails to your clients. Even though this record format maybe a bit outdated, it is still widely supported.
- Additional protection can be reached by adding
DKIMrecord with the public key of your mailing provider to sign messages that you send.
- To get insights into
DKIMalignment from the perspective of your e-mail receivers, you may also add a
DMARCrecord that contains policy settings and mailbox that will get reports from other mail servers.
- Those reports are quite technical, so, you may want to sign up for a
DMARCservice that will analyze those reports for you. For an additional fee.
- Add a
BIMIrecord that will contain the link to your brand logo. That maybe used by mail clients and search engines to show your brand identity.
- For even better brand exposure, you may need to buy a Verified Mark Certificate (
VMC) and add another entry in your DNS provider. That’s quite expensive.
TLS-RPTrecords to ensure that messages between your SMTP servers are encrypted.
- Planning to run ads? You may have to add several
TXTrecords to verify domain ownership at different providers.
Did I forget anything?