Domain Security Checklist: 12 Things to Verify Right Now
Most domain security failures are preventable. This checklist covers the 12 most important security controls for any domain you operate.
Domain Security Checklist: 12 Things to Verify Right Now
Domain security failures are almost always preventable. Hijacked domains, expired SSL certificates, blacklisted IPs, and dangling subdomain takeover vulnerabilities all share a common root cause: nobody was watching. This checklist covers the 12 most important security controls to verify for any production domain.
1. Registrar Transfer Lock Enabled
What to check: Your domain has clientTransferProhibited status in WHOIS.
Why it matters: Without a transfer lock, an attacker who gains access to your registrar account (or social engineers customer support) can transfer your domain to another registrar. Once transferred, getting it back is difficult and slow.
How to verify: Check the WHOIS tab in ElasticDomain — look for clientTransferProhibited in the domain status codes.
How to fix: Log in to your registrar and enable "Domain Lock" or "Transfer Lock."
2. SSL Certificate Valid and Not Expiring Soon
What to check: Certificate is valid, chain is complete, expiry is more than 30 days away.
Why it matters: An expired certificate shows a full-page security warning to every visitor, instantly destroying trust and traffic.
How to verify: SSL tab in ElasticDomain. Health score drops sharply as expiry approaches.
How to fix: Renew the certificate. For Let's Encrypt, verify certbot is running and has correct permissions.
3. HTTPS Enforced + HSTS Present
What to check: HTTP redirects to HTTPS. Strict-Transport-Security header is present.
Why it matters: Without HSTS, the initial HTTP request before redirect is vulnerable to SSL stripping attacks.
How to verify: SSL tab (HTTPS Enforced), Security tab (HSTS header present).
How to fix: Add redirect in server config. Add Strict-Transport-Security: max-age=31536000; includeSubDomains header.
4. Security Headers Configured
What to check: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy are present.
Why it matters: Missing security headers leave users vulnerable to XSS, clickjacking, and MIME sniffing attacks.
How to verify: HTTP Header Analyzer tool (Tools → Header Analyzer). Grade B or better.
How to fix: Add headers in nginx/Apache config or via Cloudflare Transform Rules.
5. Not Blacklisted
What to check: Domain and its IP are not listed on any DNSBL (Spamhaus, Barracuda, SURBL, etc.).
Why it matters: Blacklist listings cause email delivery failures, browser security warnings, and SEO reputation damage.
How to verify: Full Domain Scan → Security tab → blacklist status.
How to fix: Find root cause (spam, malware, compromised server), fix it, request delisting from each blacklist.
6. DNSSEC Enabled
What to check: DNSSEC is configured and signatures are valid.
Why it matters: Without DNSSEC, DNS cache poisoning attacks can redirect your domain's traffic to attacker-controlled servers without you knowing.
How to verify: DNS tab in ElasticDomain → DNSSEC status.
How to fix: Enable DNSSEC in your DNS provider settings. Most major providers (Cloudflare, Route 53, etc.) make this a single toggle.
7. Nameserver Redundancy
What to check: At least two nameservers from different physical infrastructure.
Why it matters: A single nameserver is a single point of failure. If it goes down, your entire domain stops resolving.
How to verify: DNS tab → NS records section.
How to fix: Most DNS providers automatically provision multiple geographically distributed nameservers. Verify you have at least two.
8. WHOIS Privacy Protection
What to check: Registrant contact details are protected/redacted.
Why it matters: Exposed contact details (phone, email, address) enable social engineering and targeted attacks against domain owners.
How to verify: WHOIS tab → Privacy Protected field.
How to fix: Enable WHOIS privacy (usually free) at your registrar.
9. No Dangling CNAME / Subdomain Takeover Risk
What to check: No subdomains have CNAMEs pointing to services you no longer use.
Why it matters: A dangling CNAME is one of the most exploitable vulnerabilities — an attacker can claim the decommissioned service and serve malicious content from your domain name.
How to verify: Full Domain Scan → Subdomains tab → look for Takeover Risk: High flags.
How to fix: Remove CNAME records for decommissioned services, or reclaim the external service account.
10. MX Records and Email Authentication
What to check: MX records are correct, SPF is valid, DKIM is configured, DMARC is present.
Why it matters: Without email authentication, your domain can be spoofed. Phishing emails claiming to be from [email protected] damage your brand reputation.
How to verify: Email Deliverability Tester (Tools → Email Deliverability). Score should be 75+.
How to fix: Add missing SPF, DKIM, or DMARC records. Follow the setup guide in ElasticDomain's KB.
11. No Outdated TLS Versions
What to check: Server only accepts TLS 1.2 and TLS 1.3. TLS 1.0 and 1.1 are disabled.
Why it matters: TLS 1.0 and 1.1 are deprecated and vulnerable to BEAST, POODLE, and other attacks. PCI DSS compliance requires their disablement.
How to verify: TLS Auditor tool (Tools → TLS Auditor). Should show A or A+ grade.
How to fix: Update ssl_protocols in Nginx, SSLProtocol in Apache, or set Minimum TLS Version in Cloudflare.
12. Monitoring and Alert Coverage
What to check: Automated monitoring is in place for all of the above.
Why it matters: Even if everything is perfect today, it can drift. SSL certificates expire, DNS records change, servers get compromised and added to blacklists. Monitoring catches these before they become emergencies.
How to verify: Dashboard → Alert Rules — are all critical alert types covered?
Recommended baseline alerts:
- Domain expiry: 60, 30, 14, 7 days
- SSL expiry: 30, 14, 7 days
- SSL Certificate Changed
- Nameserver Changed
- DNS Record Changed (for A and MX records)
- Blacklist Detected
Running the Full Audit
In ElasticDomain, a Full Domain Scan (250 credits) covers items 2, 3, 4, 5, 6, 7, 9, 10, and 11 automatically. Run it now on any domain you're responsible for.
Pair with:
- HTTP Header Analyzer for items 3 and 4
- Email Deliverability Tester for item 10
- TLS Auditor for item 11
- Manual WHOIS check for item 1 and 8