Your domain is not just the address on your business card.
It controls your website, your email, your analytics, your ads, your CRM forms, your calendar booking links, your online reviews, and every quote request that lands in your inbox. If it breaks, the business feels it fast.
That is why domain security deserves its own checklist. Not a vague “make sure DNS is good” note. A real operating document that a business owner, web team, IT vendor, or agency can use before a redesign, migration, email platform change, or ownership handoff.
The risk is not theoretical. APWG recorded 1,130,393 phishing attacks in Q2 2025, up from 1,003,924 in Q1 2025. Verizon’s 2025 DBIR found compromised credentials were an initial access vector in 22% of breaches. And email providers have tightened authentication requirements, with Google requiring bulk senders to authenticate mail, keep spam rates under 0.3%, and support one-click unsubscribe.
For a small business, the boring domain details are often where the expensive failures start.
Use this checklist before anything changes
Run this checklist before you launch a new site, move hosting, change email platforms, hire a new agency, switch CRMs, clean up old marketing tools, buy a business, or give anyone access to DNS.
The goal is simple: keep ownership clear, reduce spoofing risk, protect lead flow, and make sure nobody has to reverse-engineer your setup during an outage.
1. Confirm who owns the registrar account
Start at the registrar, not the website builder.
The registrar is where the domain is registered. If you lose access there, you can lose control of the entire stack. Use ICANN Lookup to identify the registrar for the domain, then confirm the business has direct access to that account.
Do not leave the domain inside an old freelancer’s GoDaddy account, an employee’s personal email, or a web agency account with no written handoff path. Domain ownership should sit with the business, under a company-controlled email address.
A good setup has the domain registered to the business, recovery email controlled by the business, billing paid by the business, and at least two authorized internal contacts who know where access lives.
2. Turn on registrar lock and account MFA
Most registrars support a domain lock that helps prevent unauthorized transfers. Turn it on unless you are actively moving the domain.
Also require multi-factor authentication on the registrar account. This matters because credential abuse remains one of the most common ways attackers get into organizations. A stolen registrar password is not like a stolen social media password. It can put your website, email, and brand identity at risk in one shot.
Use an authenticator app or hardware key where possible. SMS is better than nothing, but app-based or hardware-backed MFA is stronger.
3. Document every DNS record before making changes
Before a redesign or hosting move, export or screenshot the full DNS zone.
You want a record of A, AAAA, CNAME, MX, TXT, SRV, CAA, and any verification records used by tools like Google Search Console, Google Workspace, Microsoft 365, HubSpot, Mailchimp, Stripe, Calendly, Meta, LinkedIn, and CRMs.
DNS is easy to break because records often look disposable. That random TXT record might be proving domain ownership for Search Console. That CNAME might be routing a proposal portal. That MX record might be the only thing standing between normal email and a full-day outage.
For each record, document what it does, who requested it, when it was added, and whether it is still needed.
4. Keep DNS access separate from website editing access
A staff member may need to edit landing page copy. They probably do not need DNS access.
Separate permissions reduce blast radius. If a CMS login gets compromised, the attacker should not also be able to reroute the domain. If an agency is building a new site, they may need a CNAME or A record change, but that does not mean they need permanent registrar admin rights.
Create a simple access rule: website editors get CMS access, developers get hosting access when needed, and DNS changes go through one named owner with a backup approver.
5. Verify SPF for every platform that sends email
SPF tells receiving mail servers which systems are allowed to send mail for your domain. CISA lists SPF, DKIM, and DMARC as email authentication countermeasures, and Google now expects authentication from senders that want reliable Gmail delivery.
Check every platform that sends as your domain: Google Workspace, Microsoft 365, website forms, CRM sequences, newsletter tools, invoicing software, ecommerce receipts, review request tools, and proposal systems.
The common mistake is letting vendors stack SPF includes until the record becomes messy or invalid. SPF also has a DNS lookup limit, so old tools should be removed instead of left in place forever.
6. Turn on DKIM for mail and marketing platforms
DKIM adds a cryptographic signature that helps prove a message was authorized by the sending domain. Most business email platforms and email marketing tools provide DKIM records, but many small businesses never add them.
Google’s sender guidance says senders should set up SPF or DKIM, and bulk senders need stronger alignment requirements for mail to pass cleanly through Gmail’s filters. Google’s email sender guidelines spell out these authentication expectations.
If your newsletter tool, CRM, or proposal software sends email from your domain, look for a DKIM setup screen and add the DNS records before you send campaigns.
7. Publish DMARC, then move past monitoring-only
DMARC tells receiving servers what to do when a message fails authentication. It can monitor, quarantine, or reject unauthenticated mail.
Start with monitoring if you need visibility, but do not mistake p=none for protection. CISA says a DMARC policy of reject provides the strongest protection against spoofed email. That does not mean every small business should jump to reject on day one. It does mean the goal should be clear: identify legitimate senders, fix alignment, then tighten the policy.
This is becoming a competitive trust issue. EasyDMARC reported that DMARC adoption among top domains grew from 27.2% to 47.7% between 2023 and 2025. If your competitors are cleaning this up and you’re not, your email reputation can lag behind.
8. Protect the root domain and common subdomains
Most small businesses only think about www and the root domain. Attackers, broken vendors, and old projects love the forgotten stuff.
Check common subdomains like mail, app, crm, go, offers, quote, shop, support, portal, cdn, blog, staging, and dev. If a subdomain points to a service you no longer use, remove it. If it points to an unclaimed third-party service, fix it immediately.
Subdomain takeover is a real risk when DNS records point to abandoned cloud services. The safe habit is simple: if a tool is retired, remove the DNS record during the same cleanup.
9. Use HTTPS everywhere and redirect HTTP cleanly
HTTPS is now table stakes. W3Techs tracks HTTPS as the default protocol across websites, and visitors expect the lock icon even if they do not understand certificates.
Make sure every public version resolves correctly: http://example.com, http://www.example.com, https://example.com, and https://www.example.com. Pick one canonical version, then redirect the others to it in one hop.
Do not allow mixed versions to compete. That can dilute analytics, create duplicate URLs, confuse crawlers, and make old links behave unpredictably.
10. Add CAA records for certificate control
CAA records tell certificate authorities which providers are allowed to issue SSL certificates for your domain. They are not required for every small business site, but they are a useful guardrail when you want tighter control.
If your hosting provider uses Let’s Encrypt, your CAA record should allow Let’s Encrypt. If you use another certificate authority, document that choice. The point is not to add records blindly. The point is to know who can issue certificates for the domain and why.
11. Watch renewal dates for the domain and SSL
A domain expiration can take down the website and email. An SSL expiration can scare away visitors at the exact moment they’re ready to contact you.
Set domain auto-renewal, keep a valid payment method on file, and calendar the renewal date anyway. Do the same for SSL if your certificate is not fully automated through your host.
This is one of the cheapest risk reductions in web operations. There is no strategy lesson in losing leads because a credit card expired.
12. Clean up old verification records
Marketing tools leave DNS fingerprints everywhere.
Google, Meta, Pinterest, LinkedIn, Microsoft, CRMs, email platforms, landing page builders, and call tracking tools all use verification records. Some need to stay. Others were used once and forgotten.
Old verification records are not always dangerous, but they create confusion during audits and migrations. If nobody knows what a TXT record does, the team hesitates to remove it. That hesitation turns DNS into a junk drawer.
Review verification records twice a year. Keep the ones tied to active tools. Remove the rest after confirming the platform is no longer in use.
13. Use a staging domain that cannot get indexed
Staging sites are useful. Public staging sites are risky.
A staging version can expose draft copy, old pricing, private pages, duplicate content, test forms, and plugin errors. If search engines index it, customers may land on the wrong version of your site.
Put staging behind a password, block indexing, and avoid using the main business domain for messy development work. If you need a staging subdomain, document who owns it and delete it after launch.
14. Audit redirects after redesigns and migrations
Redirects are part of domain security because they control where users and crawlers go.
After a redesign, check old service pages, campaign URLs, location pages, blog posts, PDF links, QR code destinations, and paid ad landing pages. A broken redirect is not just an SEO issue. It can waste ad spend, kill referral traffic, and make sales collateral unreliable.
Keep a redirect map in the project folder. Include the old URL, new URL, reason for the redirect, and date added.
15. Monitor DNS and uptime externally
Do not rely only on your hosting dashboard to tell you if the site is up.
Use outside monitoring for uptime, SSL expiration, DNS changes, and key form submissions. Even a simple monitor is better than discovering an outage when a customer calls. For lead generation sites, monitor the thank-you page or form workflow, not just the homepage.
If your website produces quote requests, calls, bookings, or ecommerce revenue, monitoring should be treated as a sales protection system.
16. Create a vendor handoff packet
A clean handoff packet prevents the usual blame cycle when something breaks.
Create one document with the registrar, DNS host, web host, email provider, CMS, form tool, CRM, analytics accounts, Search Console property, ad accounts, SSL setup, CDN, active redirects, key contacts, renewal dates, and emergency process.
This should not include raw passwords. Use a password manager for credentials. The handoff packet should explain what exists, who owns it, and how to request access.
17. Review access every quarter
People change roles. Agencies change. Vendors get replaced. Old accounts stay open.
Once a quarter, review who has access to the registrar, DNS host, hosting account, CMS, analytics, email platform, CRM, CDN, and password manager. Remove anyone who no longer needs access.
This is dull work, but it is exactly the work that prevents a small website issue from becoming a business interruption.
The domain security scorecard
Use this quick scoring model to prioritize fixes:
| Area | Good | Risky |
|---|---|---|
| Registrar ownership | Business-owned account with MFA | Vendor or former employee owns it |
| DNS records | Documented and reviewed | Unknown records nobody wants to touch |
| Email authentication | SPF, DKIM, and DMARC aligned | SPF only, or DMARC stuck at p=none forever |
| HTTPS | One canonical HTTPS version | Multiple versions, chains, or certificate warnings |
| Subdomains | Active, documented, monitored | Old tools and staging links still live |
| Monitoring | External uptime, SSL, DNS, and form checks | Waiting for customers to report problems |
| Handoff | Clear ownership packet | Access scattered across inboxes and vendors |
If you score risky in registrar ownership, DNS records, or email authentication, fix those first. They control the largest blast radius.
What to fix first if you only have one hour
If you are short on time, start here.
- Confirm the business owns the registrar account and MFA is on.
- Export the DNS zone and label every record you recognize.
- Check SPF, DKIM, and DMARC for the main email domain.
- Verify all domain versions redirect to one HTTPS canonical URL.
- Remove access for old vendors and former employees.
That one-hour pass will not make the domain perfect, but it will catch the problems most likely to hurt leads, email, or ownership.
FAQ
Who should own the business domain?
The business should own the domain directly. Agencies and IT vendors can help manage it, but the registrar account, billing, recovery email, and legal ownership should stay with the business.
Is DNS the same as hosting?
No. DNS tells traffic where to go. Hosting stores and serves the website. Email may be a third service. Many outages happen because teams confuse these layers during a migration.
Do small businesses really need DMARC?
Yes, especially if they send customer emails, quotes, invoices, newsletters, or CRM follow-ups from their domain. Google’s sender requirements now expect authentication from senders, and DMARC helps reduce direct domain spoofing when configured correctly.
How often should DNS be reviewed?
Review DNS before any website launch or vendor change, then at least twice a year. Also review it whenever you cancel a tool that previously connected to your domain.
Can Your Web Team help with this?
Yes. If you want a second set of eyes on your domain, DNS, website setup, email authentication, redirects, and lead flow, start here. We’ll help you find the weak spots before they cost you leads.
Richard Kastl
Founder & Lead EngineerRichard Kastl has spent 14 years engineering websites that generate revenue. He combines expertise in web development, SEO, digital marketing, and conversion optimization to build sites that make the phone ring. His work has helped generate over $30M in pipeline for clients ranging from industrial manufacturers to SaaS companies.
