The 60-Second Audit
Run through this list quarterly; every unchecked box is a potential $50k mistake.
Account Access
- Unique 20-char password per registrar β
- TOTP or hardware key 2FA enabled β
- IP whitelist for API and admin logins β
- No shared logins; each admin own account β
Domain-Level Security
- Registrar lock (clientTransferProhibited) β
- Registry lock for names >$10k β
- DNSSEC enabled and signatures valid β
- Domain auto-renew + 10-year max prepay β
Monitoring & Alerts
- WHOIS change alerts to security@ β
- DNS drift monitoring (A/MX) β
- SSL expiry 30-day warning β
- Blacklist & malware scan weekly β
Email & DNS Hygiene
- SPF, DKIM, DMARC at p=reject β
- Separate email domain for registrar contact β
- TXT record for CAA limiting CAs β
Legal & Business
- Domains held in separate asset-holding LLC β
- Registry-lock removal requires two-signature β
- Domain insurance rider active β
- Up-to-date trademark registrations β
Incident Response Ready
- Written runbook for hijack recovery β
- 24/7 phone numbers for registrar and registry β
- Backup credentials stored offline β
- Legal counsel familiar with UDRP β
Continuous Improvement
Schedule calendar reminder every 90 days. Tick boxes, export PDF, store in encrypted vault. Security is not a state, itβs a processβautomate what you can, audit what you canβt.