How to get, register or manage a domain name
The MOJ centrally registers and maintains domains for use across the department. Domains used within the MOJ must follow the naming domains standards and must be registered by the MOJ’s Operations Engineering team.
As per the Naming domains guidance, the use of non-gov.uk domain names
is strongly discouraged.
Requesting a new domain or changes to an existing domain
If you need to request a new domain or changes to an existing domain name, email the Operations Engineering team.
The Operations Engineering team will help ensure that your domain meets the naming domains standard and our wider standards for naming things. The Operations Engineering team will also help identify which subdomain is most appropriate for your service.
You must not register a domain outside of the Operations Engineering team.
Note - There are seperate processes for new gov.uk domains. If you are seeking a gov.uk or service.gov.uk domain you should Check if your organisation can get a .gov.uk domain name in the first instance.
Moving your domain to the central register
If you currently use or have registered a non-gov.uk domain, you must
transfer the domain to the Operations Engineering team. The Operations
Engineering team will:
- provide you with a new domain that meets naming domains standards
- redirect your old domain to your new domain
- help you decommission and deprecate your old domain
Defensive domain registrations
Defensive domains must be requested through the Operations Engineering team.
The MOJ’s Security Guidance covers why we defensively register domain names.
Deprecating domains
If you need to deprecate a domain (both gov.uk and non-gov.uk), please
contact the Operations Engineering team.
The Operations Engineering team will ensure it:
- redirects to your new domain, if applicable
- has the correct DNS records set for a domain that has been deprecated
List of deprecated domains
The MOJ no longer supports:
- *.dsd.io, which was previously used for non-production services
Mandatory DNS records for domains
If you have DNS delegation for a subdomain, you must set the following DNS records yourselves. If you do not have DNS delegation, the Operations Engineering team will set these to the appropriate value for you.
Functional nameservers
Your domain must always have functional nameservers.
Sender Policy Framework (SPF)
Your domain must always have a TXT record for SPF set.
For example, if your domain does not send emails, you would set a TXT record
to:
v=spf1 -all
Additional guidance is available on GOV.UK’s SPF implementation guidance.
Domain-based Message Authentication, Reporting and Conformance (DMARC)
Your domain must always have a DMARC record configured in line with the GOV.UK’s DMARC guidance.
For example, to set a reject policy, you would set a TXT record on
_dmarc.mydomain.gov.uk to:
v=DMARC1;p=reject;rua=mailto:dmarc-rua@dmarc.service.gov.uk;
Mail Exchanger (MX)
You must set MX records on your domain. If you’re using your domain for email, use the correct DKIM records supplied by your email provider (AWS SES, SendGrid, etc).
If your domain does not accept email, you must set a NULL MX Resource Record, such as:
| Name/host/alias | Time to live | Record type | Priority | Value |
|---|---|---|---|---|
. (full stop) |
3600 | MX | 0 |
|
DomainKeys Identified Mail (DKIM)
You must set a DKIM record on your domain. If you’re using your domain for email, use the correct DKIM records supplied by your email provider (AWS SES, SendGrid, etc).
If your domain does not accept email, you must set a nullified wildcard DKIM record. This will ensure any cached keys will be explicitly removed.
For example, on the domain: *._domainkey.mydomain.gov.uk, you’d set a TXT
record to:
v=DKIM1; p=
Mandatory HTTPS, SSL and TLS configuration for domains
Your domains must always:
- Have a valid TLS certificate
- 301 (Permanently Moved) redirect unencrypted HTTP requests to HTTPS
- Use HTTP Strict Transport Security (HSTS) to force all connections to use HTTPS
- Utilise
upgrade-insecure-requestsin your Content Security Policy (CSP) to force all content on a service to be loaded over HTTPS
Your service must always actively:
- turn off TLS insecure renegotiation
- turn off TLS insecure protocol downgrade
- turn off TLS record compression
- turn off export key generation
- turn off support for SSL 2
SSL and TLS configuration
You must not use the deprecated SSL protocol. You must use the TLS protocol.
| Protocol and version | Status |
|---|---|
| TLS 1.3 | Latest |
| TLS 1.2 | Long-term support |
| TLS 1.1 | Deprecated in 2021 (RFC 8896), deprecated by Apple, Google, Microsoft, Mozilla in 2020 |
| TLS 1.0 | Deprecated in 2021 (RFC 8896), deprecated by Apple, Google, Microsoft, Mozilla in 2020 |
| SSLv3 | Deprecated in 2015 (RFC 7568) |
| SSLv2 | Deprecated in 2011 (RFC 6176) |