Domain name management: five guiding principles


Elisa Cooper

Domain name management: five guiding principles

porcorex /

While there is no one ‘right way’ to manage domain name portfolios, domain professionals should consider these five guiding principles in determining what is best for their companies, says Elisa Cooper of Brandsight.

For years we’ve been talking about domain name best practices. But let’s be realistic, no single set of best practices can ever be applied uniformly to every company. If that were the case, domain name management would be a piece of cake, as opposed to something that most companies have struggled with over the last 20 years.

What is it about domain name management that makes it so challenging? For starters, much of managing a corporate domain name portfolio comes down to balancing the need for promotion against the need for protection. But every company’s tolerance for risk is different. And figuring out what to register defensively is more of an art than a science—no matter what anyone says.

Identifying domains no longer necessary has also been a challenge for most companies. Even after reviewing a domain name portfolio to uncover usage, traffic and value, getting the final sign-off to allow a $15 domain name to expire hardly seems worth it, especially when the risk of the domain being re-registered exists. And the potential savings typically pale in comparison to other IP maintenance fees for things such as patents and trademarks.

Ensuring that domains resolve to relevant content also poses challenges for domain name professionals. Where exactly should country code top-level domains (ccTLDs) point? And what about domains containing specific product names: should they point to the home page or a product page, should they take advantage of geo-location services, or should they point to a search page?

The challenges facing corporate domain name professionals are bespoke and as different from one another as the companies themselves, their respective cultures, and their perspectives on IP are.

Instead of thinking about best practices for domain name management (a static list of things that domain professionals must do), those responsible for managing domain name portfolios might instead consider these five guiding principles for domain name management in light of their own corporate objectives. These are principles for which every company, regardless of their tolerance for risk, portfolio size, or geographic coverage, should strive to achieve.

Principle #1: Secure domain names

Above all else, ensuring the security of domain name portfolios is essential and goes without saying. In fact, in a recent survey of domain name professionals conducted by Brandsight, 85% of respondents said that ensuring domain names remain secure was an extremely important goal.

There are a number of ways to ensure the security of domain name portfolios, starting with requiring the use of two-factor authentication to access domain name management accounts, and limiting who has access to which domains and what types of updates each user is allowed to make.

Users and their permissions should be reviewed periodically, especially as employees change jobs or leave the company. Those responsible for managing domain names should be made aware of the potential for phishing scams and social engineering attacks and should take care to keep login credentials and authorisation codes secure.

All domain names should employ standard registrar locks to guard against deletion, updates or transfers. Core domains which are used for production websites or to host email should employ registry locking where available. Registry locking provides an additional layer of security so that domains are protected against hacktivists from pointing domains to politically motivated content, disgruntled employees from embarrassing their employers, and inadvertent mistakes which, unfortunately, still happen. Registry locked domains are editable only when a unique, manual security protocol is completed between the registry and the registrar. 

While corporations have their choice of registrar and can take efforts to protect against unauthorised access to domain management accounts, they have little control over the security of registries. As a reminder, registries can be thought of as the wholesaler of domains, and there is only one registry for every TLD.

Many registries run world-class infrastructures, and most have never been compromised. In the past, however, some smaller ccTLDs have suffered breaches where corporate domain names were redirected to politically motivated sites. Monitoring for unauthorised changes to nameservers is the best way to uncover a potential registry security breach. While this doesn’t stop a breach occurring, it does allow corporations to respond quickly.

Principle #2: Manage domain name portfolio growth

Many companies struggle to right-size their portfolios, and many will say that their portfolios have become bloated over time. For those willing to accept the risk of paring portfolios, companies should evaluate their current portfolio to understand geographic coverage and numbers of registrations per brand. In addition, it is necessary to understand why domain names were initially acquired, how they are currently used, any traffic generated by them, and whether they have any inherent value before beginning the process to allow a domain to expire. Companies can consider selling generic, unused domain names either by listing them on domain sales platforms or with the help of domain name brokers.

Domains that have no value, generate no traffic, have no Domain Name System (DNS) records, are not previously the subject of a cease and desist letter, a Uniform Domain-Name Dispute-Resolution Policy (UDRP) process or a court order, and are associated to a brand that is no longer supported or sold, may be a candidate for expiration, if approved by the internal brand owner. The big question to ask is, if this domain is re-registered, will it matter?

While getting  portfolios to the right size can be fraught with too much risk for some, those companies can still endeavour to make more strategic domain registration decisions going forward. Companies should periodically reevaluate where and how new brands are registered as domains, especially if policies were created more than ten years ago, when defensive registrations were more widely accepted as a way to protect brands online.

Principle #3: Optimise portfolios

Domain names can be valuable assets, but many corporate domain name portfolios consist of non-resolving domains. In fact, it's not uncommon for less than half of corporate domain name portfolios to point to live content. Sure, there are domains such as those that point to ‘sucks’ sites or those registered anonymously for future use that purposely do not resolve, but those are the exception to the rule.

Most domains that do not resolve were registered defensively or acquired via acquisition—without much thought given to where the domains should actually point.

Companies should strive to ensure that all non-core domains point to relevant content and, working cooperatively with web marketing or digital marketing teams, will probably be required to determine exactly where domain names should resolve.

A common question is around how much traffic should a domain receive in order for it to be considered valuable? Of course, that depends. Raw numbers can be useful, but tracking conversion rates provides powerful evidence for understanding the value of a domain.

Principle #4: Engage with stakeholders

Successful domain management programmes require close collaboration with individuals across the enterprise and may include representatives from marketing, legal, web operations and IT. Understanding exactly who these key stakeholders are is essential, as domain name professionals need to keep them informed of new or changing TLDs.

"Successful domain management programmes require close collaboration with individuals across the enterprise and may include representatives from marketing, legal, web operations and IT."

Policies for requesting new registrations, making changes to nameservers, or updating the DNS should be jointly defined and communicated. If policies are not being followed, it may make sense to review whether these policies need to be updated. In addition, employees should also be reminded of processes for requesting new registrations, especially as uncovering domain ownership has become nearly impossible as a result of the EU General Data Protection Regulation.

The notion of a ‘Domains Council’ is something that many corporations have implemented as a way to bring together different groups which have a vested interest in ensuring that the company’s domains are being properly managed. A quarterly or biannual meeting to bring stakeholders together is a good way to make sure collaboration is happening.

Principle #5: Leverage technology

Over the last decade a number of new technologies have emerged, including Domain Name System Security Extensions (DNSSEC) and Domain-based Message Authentication, Reporting and Conformance (DMARC), which protect against cache poisoning and email spoofing, respectively.

DNSSEC is a set of protocols that can authenticate the origin of data sent from a DNS server, verify the integrity of data and authenticate non-existent DNS data. DNSSEC protects against cache poisoning, which is used to redirect website traffic. Complete DNSSEC implementation requires that domains are authenticated at the root by the registry and that DNS zones and records are authenticated as well. The adoption rate of DNSSEC is currently around 13%

DMARC is an email validation system designed to detect and prevent email spoofing. A DMARC policy allows a sender’s domain to indicate that its emails are protected by Sender Policy Framework (SPF) and/or DomainKeys Identified Mail (DKIM), and this policy is published in DNS. The policy tells a receiver what to do if neither of those authentication methods passes—such as junk or reject the message. DMARC can be leveraged for core domains and defensive registrations.

While this is by no means an exhaustive list, it does cover two important technological advances, and undoubtedly there will be more in the coming years. Companies should strive to keep abreast of these advancements and implement them where it makes sense.

Instead of prescribing a one-size-fits-all set of domain name management best practices, these guiding principles are meant to help domain professionals think more broadly about how to best manage their domain name portfolios given their unique requirements and objectives.

While there is no one ‘right way’ to manage domain name portfolios, domain professionals should strive to determine what is right for their respective companies. It is not an easy task by any means, and is certainly one that requires ongoing management as new issues continue to emerge.

Elisa Cooper is senior vice president of marketing and policy at Brandsight, a corporate domain name registrar. She can be contacted at:

Domain name management, Brandsight, DNSSEC, leverage technology, domain traffic, security, portfolio, scams, breach, Domain Name System, TLDs, GDPR

Trademarks and Brands Online