Domains. They're cheap and typically require not much thought once they're set up. So much so that organisations often don't seem to know who they got their domain from or what's involved. Yet that one relationship controls all their email, website and possibly more - lose your domain or muck up your "DNS records" (described later) and you've lost your ability to communicate online. So this is important stuff: it's an organisational risk that needs well documented processes, checks and reviews.

Don't bore me with the technobabble, but what are we talking about here?

An internet domain name is like artfulrobot.uk or example.com etc. You hire your domain name - either from a  registrar or a reseller.  That company takes your money and is responsible for registering you as the current owner of that domain with the appropriate registry. e.g. all domain names ending in .uk are controlled by nominet.

So we have: you » reseller » registrar » registry.

That means you're the owner of a domain, but on its own, it does nothing - nobody can use it to get to your website or email you etc.

Taking a simple example, your website sits on a server which can be found on the internet using a special number called an IP address (e.g. often written with dots like 1.2.3.4). Your email server is probably provided by another server somewhere else, with a different IP address.

Humans don't like remembering long numbers - and so we have the domain name system (DNS) that maps human-friendly domain names to machine-friendly information like IP addresses. When you type artfulrobot.uk in your browser it has to do several DNS record lookups to ask "what's the IP address for the domain called artfulrobot.uk?", and once it gets a reply it then gets on asking that server for my website. When you send an email to me, it looks to DNS records to find out which server(s) are able to handle incoming email for my domain.

There's various other information that can be stored in DNS records, too, e.g. information to help authenticate your email and restrict spam, but you don't need to know those details to get the basic concept.

So DNS records mean that the domain you hired is actually useful in connecting people to your organisation.

Very real risks

• If you lose your domain - i.e. you're no longer the registered owner - then all your services (website, email...) are simply unavailable. Your website or email will not have been deleted, just nobody can find them anymore. Also, someone else could buy it, either innocently or maliciously. e.g. with the aim of selling it back to you at a high price. There are some protections in law (various jurisdictions may apply) but you clearly do not want to be in this situation. If someone else owns the domain, they also have control over your DNS records...

• If someone malicious obtains access to changing your DNS records then they control all your domain-related services like the website people see and where incoming email goes. e.g. a malicious person who obtains control over securebank.com's DNS records could redirect all the email to their own inbox. They could redirect the website, or even provide a spoof one to dupe customers into entering their passwords.

• If your DNS records get accidentally messed up, this can mean people can't access your website, can't email you, or can more easily send spam "from" your domain etc.

Managing the risk

• Know who provides what services for you. Domain and DNS services are usually bundled into one, but they are actually separate (the DNS system itself is split into two parts, but we don't need to go into that). This might be bundled in with your website hosting, or IT services contract, or it might be someone else - a local firm or some random company online. Check that this company is still in good health; is still operating!

• Regularly check that the ownership and contact details on a domain are correct. You can ask your supplier about this. They probably provide an admin website where you can check this yourself.  It's surprising how many domains are registered to an ex admin staffer or long-gone trustee - remember: if the contact details are no longer in your control you might no longer have control!

• Use a proper password for your domain/DNS service's login and don't flap it around! "password123" is not acceptable for such an important service. Make a really long awkward secure one and keep it safe (from being lost, inc. in fire etc.) and secure (from being stolen or used by those who should not have it). Don't give it out - good registrars will offer you a way to create accounts for technical people who need to manage DNS records for you without having the owner's password.

• Organisational knowledge. Who is responsible for understanding this, paying the bills, receiving notifications? Is there a backup person? Is there a handover process for their successor?

• Up to date billing info. Maybe you saved a debit card on your account for auto renewal, but now that card has expired? Maybe you bought your domain for 5 years which felt like forever, but now 5 years is up? Know this stuff and keep up to date.

• Don't use a reseller. DNS gets complex, really really complex. I've encountered several companies that regularly get it wrong because they lack the technical understanding necessary. e.g. a company that provides websites may know enough to buy a domain and link it to their website but ask them to set up DKIM on a subdomain? Resellers are an unnecessary step in the chain above - ideally you hire from a registrar which is authorised directly with the registries. If you're the surgeon and your DNS records are the heart you're operating on, a reseller is often like a pair of mittens!

• Don't use your website/IT services provider. People often want me to provide this service for them, however the organisation's ownership of their domain is more important to where they buy their services from and should be independent from it. Good registrar services will provide a way for technical people who need to administer your DNS records to do so using their own account so there's a clear separation: your organisation is the owner, me/other is providing technical services for it at present. That way if you fall out with your provider (If this is me, I hope not!) you can take away their access to your precious domain.

Recommended registrars

This is not an advert and I'm not affiliated in any way with any company; I don't have anything to gain from you using them or not.

I've used the French-based registrar, Gandi for a long while. They focus on keeping things as up front and plain as possible with no hidden fees. Their prices are good, and their support is ok - middling. They allow separation of accounts - so you can own your domain, I can administer your domain, someone else can receive billing communications about it etc.

I'd un-recommend GoDaddy for their poor administrative interface, unclear pricing, and poor track record which includes sexist advertising and data breaches!

If you've got a genuine recommendation, I'd love to hear from you.