Domain security best practices
Domain management can ensure a safe experience for your users and your organization. Take the following steps to manage your .gov domain securely.
Add a security email for public use
A security email allows the public to report observed or suspected security issues on your domain. Security issues could include notifications about compromised accounts, unsolicited email, routing problems, or potential vulnerabilities.
Sign in to the .gov registrar to add or update the security email for your .gov domain.
Security emails are made public
Security emails are made public in our published data and in the .gov WHOIS. WHOIS (pronounced “who is”) is a standard used by registrars to publish the contact and name server information for registered domains.
Managing a security email in your organization
The people who can access messages sent to a security email should be capable of evaluating or triaging security reports for your entire domain. We recommend:
- Using a team email address, not an individual’s email
- Using a common, even guessable name, like security@<domain.gov> to make it easier to report
- Adding the security email to your website and in other organizational communications so it’s easy for the public to know where to report issues
Develop a vulnerability disclosure policy
Consider having a vulnerability disclosure policy (VDP). A VDP outlines how your organization prefers to receive vulnerability reports, what you’ll do with them, the scope of systems covered by the policy, and legal authorization for those who follow the policy and report in good faith. Once complete, put your vulnerability disclosure policy online.
The Cybersecurity and Infrastructure Security Agency (CISA) released a directive to federal agencies that requires VDPs. The directive offers a comprehensive framework for how your organization could support a VDP.
Preload your domain
All newly registered .gov domains are “preloaded,” or added to the HSTS preload list. HSTS, or HTTP Strict Transport Security, is a simple standard that protects website visitors by:
- Ensuring their browsers always enforce an HTTPS connection
- Eliminating the ability to click through a certificate error
After a domain is on the preload list, modern web browsers will enforce HTTPS connections for all websites on the domain.
We intend to preload the .gov top-level domain. In the meantime, we recommend preloading .gov domains that haven’t yet been (a required action for federal agencies under the Federal Zero Trust Strategy).
Use DMARC to prevent email impersonation
It shouldn’t be easy to impersonate the government, but scammers can spoof your domain to send fake messages that appear to come from your organization. DMARC (Domain-based Message Authentication, Reporting and Conformance) makes it difficult for malicious actors to spoof your domain in email.
DMARC lets you tell mail servers what to do when they get a message from your domain, giving you tight control. Even for domains that don’t send email, establishing a strong DMARC policy protects your organization’s reputation and the public from falling for deceptive tactics.
Sign up for CISA’s Cyber Hygiene service
Cyber Hygiene is a free vulnerability scanning service offered by CISA. Cyber Hygiene helps you secure your internet-facing systems and adopt modern security best practices.
Visit CISA’s Cyber Hygiene page for more information.
Join free cybersecurity group
Join the free Multi-State Information Sharing and Analysis Center (MS-ISAC). CISA designated MS-ISAC as the key resource for cyber threat prevention, protection, response, and recovery for all U.S. state, local, tribal, and territorial governments. MS-ISAC helps ensure the resiliency of government systems through coordination, cooperation, and communication.