Internet Presence Best Practices

Every business or organization has an Internet presence beyond the website. Domain registration, DNS configuration, and email configuration are important components. What follows are some best practices to maintain the professionalism, security, reliability, and accessibility of your Internet presence. DomainProactive provides continuous monitoring to help your organization stay on top of these issues.

web
- Encryption is fundamental to the modern Internet. Every website should be served as an HTTPS resource. Previously, it was conventional wisdom that only websites handling credit card data or other sensitive content needed encryption. HTTPS provides more than encryption, however. It assures the user that the content has not been altered in transit. This is very important to prevent man-in-the-middle attacks and the injection of malware into the pages you serve to your users.
  - Make the website reachable via the bare domain and with a www hostname. Traditionally, websites were located at a hostname of www. For example, the website for example.com would be hosted at https://www.example.com. Nowadays it is common to serve the website at https://example.com. Whether or not one uses the www prefix is now largely a matter of taste and whether or not there are multiple publicly visible websites for the domain. Because users may try either form when typing in your address, support both with redirects to the canonical URL.
  - Redirect unencrypted access to use HTTPS with a permanent redirect.
  - Implement HTTP Strict Transport Security.
  - Implement a process to renew certificates no less frequently than annually.
  - Serve resources using Transport Layer Security (TLS) to prevent eavesdropping and alteration of content. TLS 1.3 is recommended. Anything below TLS 1.2 is deprecated and should not be used.
- accessibility
  - Explicitly specify the character encoding. If the character encoding is not specified with a Content-Type header or a meta tag, the browser will try to guess and might guess incorrectly, causing rendering problems for the user.
    
    Favor UTF-8 unless your content is better represented by another character encoding.
- Support IPv6.
- Maintain versioned backups of your website(s).
- Consider not leaking your user's data to Google and Facebook. Set up your own analytics server or use a service that respects user privacy.
email
- Implement Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC), which are necessary to ensure the authenticity of mail claiming to be sent from your domain in order to prevent spam and phishing.
- Configure email transport encryption using Transport Layer Security (TLS) to prevent eavesdropping and alteration of messages. TLS 1.3 is recommended. Anything below TLS 1.2 is deprecated and should not be used.
- Provision at least two redundant email servers to ensure deliverability in the event that a server is offline.
- Support IPv6.
- If not using a hosted service, and maybe even if so, maintain your email configuration in a version control system. Use ACLs to ensure that only authorized entities make changes. Employ a standard deploy process.
DNS
- Provision at least two redundant DNS servers to ensure reachability in the event that a server is offline.
- Support IPv6.
- Maintain your DNS zone in a version control system. Use ACLs to ensure that only authorized entities make changes. Employ a standard deploy process.