Domain Security 101

Cloud Sep 7, 2021


CAA Record
Domain Transfer Lock
Email Security 101


DNSSEC adds a layer of trust on top of the DNS system by adding cryptographic signatures to existing DNS records. This ensures the record wasn't modified, protecting against DNS injection and man-in-the-middle (MITM) attacks.

Cloudflare have a detailed post on DNSSEC here:

CAA Record

CAA is a type of DNS record that allows site owners to specify which Certificate Authorities (CAs) are allowed to issue certificates containing their domain names. - Let's Encrypt Docs

dig CAA

;; ANSWER SECTION:		600	IN	CAA	0 issue ""		600	IN	CAA	0 issue ""		600	IN	CAA	0 iodef "mailto:[email protected]" 

The above records allow for only Let's Encrypt and Sectigo* to issue certificates for If a Certificate Authority that is not listed, tries to create a certificate it will fail and an email should be sent to [email protected].

*Let's Encrypt is our main CA however this will failover to ZeroSSL (which uses sectigo), thanks to Caddy :)

Domain Transfer Lock

It's good practice to enable a Domain Transfer Lock this prevents domain hijacking where the domain is transferred to another register under the control of someone else.

This is typically a simple toggle in your domain registrar's control panel.

Use 2FA

To prevent your domain from being hijacked ensure that all accounts that are used to manage that domain has some form of 2FA.


  • Domain Registrar
  • DNS Management


It's simple don't let your domain expire and be purchased by someone else!

Email Domain Security 101

Alex Blackie has a simple guide on email domain security: