Domain security best practices

Domain management can ensure a safe experience for your users and your organization. Take the following steps to manage your .gov domain securely.

Add a security email for public use

A security email allows the public to report observed or suspected security issues on your domain. Security issues could include notifications about compromised accounts, unsolicited email, routing problems, or potential vulnerabilities.

Security emails are made public

Security emails are made public in our published data and in the .gov WHOIS. WHOIS (pronounced “who is”) is a standard used by registrars to publish the contact and name server information for registered domains.

Managing a security email in your organization

The people who can access messages sent to a security email should be capable of evaluating or triaging security reports for your entire domain. We recommend:

Using a team email address, not an individual’s email
Using a common, even guessable name, like security@<domain.gov> to make it easier to report
Adding the security email to your website and in other organizational communications so it’s easy for the public to know where to report issues

Develop a vulnerability disclosure policy

Consider having a vulnerability disclosure policy (VDP). A VDP outlines how your organization prefers to receive vulnerability reports, what you’ll do with them, the scope of systems covered by the policy, and legal authorization for those who follow the policy and report in good faith. Once complete, put your vulnerability disclosure policy online.

The Cybersecurity and Infrastructure Security Agency (CISA) released a directive to federal agencies that requires VDPs. The directive offers a comprehensive framework for how your organization could support a VDP.

View our vulnerability disclosure policy.

Preload your domain

All newly registered .gov domains are “preloaded,” or added to the HSTS preload list. HSTS, or HTTP Strict Transport Security, is a simple standard that protects website visitors by:

Ensuring their browsers always enforce an HTTPS connection
Eliminating the ability to click through a certificate error

After a domain is on the preload list, modern web browsers will enforce HTTPS connections for all websites on the domain.

We intend to preload the .gov top-level domain. In the meantime, we recommend preloading .gov domains that haven’t yet been (a required action for federal agencies under the Federal Zero Trust Strategy).

Read our blog post about preloading.

Use DMARC to prevent email impersonation

It shouldn’t be easy to impersonate the government, but scammers can spoof your domain to send fake messages that appear to come from your organization. DMARC (Domain-based Message Authentication, Reporting and Conformance) makes it difficult for malicious actors to spoof your domain in email.

DMARC lets you tell mail servers what to do when they get a message from your domain, giving you tight control. Even for domains that don’t send email, establishing a strong DMARC policy protects your organization’s reputation and the public from falling for deceptive tactics.

View CISA's guide to DMARC and email authentication.

Cyber Hygiene is a free vulnerability scanning service offered by CISA. Cyber Hygiene helps you secure your internet-facing systems and adopt modern security best practices.

Visit CISA’s Cyber Hygiene page for more information.

Join free cybersecurity group

Join the free Multi-State Information Sharing and Analysis Center (MS-ISAC). CISA designated MS-ISAC as the key resource for cyber threat prevention, protection, response, and recovery for all U.S. state, local, tribal, and territorial governments. MS-ISAC helps ensure the resiliency of government systems through coordination, cooperation, and communication.