Skip to main content
Table of contents

How to get, register or manage a domain name

The MOJ centrally registers and maintains domains for use across the department. Domains used within the MOJ must follow the naming domains standards and must be registered by the MOJ’s Operations Engineering team.

As per the Naming domains guidance, the use of non-gov.uk domain names is strongly discouraged.

Requesting a new domain or changes to an existing domain

If you need to request a new domain or changes to an existing domain name, email the Operations Engineering team.

The Operations Engineering team will help ensure that your domain meets the naming domains standard and our wider standards for naming things. The Operations Engineering team will also help identify which subdomain is most appropriate for your service.

You must not register a domain outside of the Operations Engineering team.

Note - There are seperate processes for new gov.uk domains. If you are seeking a gov.uk or service.gov.uk domain you should Check if your organisation can get a .gov.uk domain name in the first instance.

Moving your domain to the central register

If you currently use or have registered a non-gov.uk domain, you must transfer the domain to the Operations Engineering team. The Operations Engineering team will:

  • provide you with a new domain that meets naming domains standards
  • redirect your old domain to your new domain
  • help you decommission and deprecate your old domain

Defensive domain registrations

Defensive domains must be requested through the Operations Engineering team.

The MOJ’s Security Guidance covers why we defensively register domain names.

Deprecating domains

If you need to deprecate a domain (both gov.uk and non-gov.uk), please contact the Operations Engineering team.

The Operations Engineering team will ensure it:

  • redirects to your new domain, if applicable
  • has the correct DNS records set for a domain that has been deprecated

List of deprecated domains

The MOJ no longer supports:

  • *.dsd.io, which was previously used for non-production services

Mandatory DNS records for domains

If you have DNS delegation for a subdomain, you must set the following DNS records yourselves. If you do not have DNS delegation, the Operations Engineering team will set these to the appropriate value for you.

Functional nameservers

Your domain must always have functional nameservers.

Sender Policy Framework (SPF)

Your domain must always have a TXT record for SPF set.

For example, if your domain does not send emails, you would set a TXT record to:

v=spf1 -all

Additional guidance is available on GOV.UK’s SPF implementation guidance.

Domain-based Message Authentication, Reporting and Conformance (DMARC)

Your domain must always have a DMARC record configured in line with the GOV.UK’s DMARC guidance.

For example, to set a reject policy, you would set a TXT record on _dmarc.mydomain.gov.uk to:

v=DMARC1;p=reject;rua=mailto:dmarc-rua@dmarc.service.gov.uk;

Mail Exchanger (MX)

You must set MX records on your domain. If you’re using your domain for email, use the correct DKIM records supplied by your email provider (AWS SES, SendGrid, etc).

If your domain does not accept email, you must set a NULL MX Resource Record, such as:

Name/host/alias Time to live Record type Priority Value
. (full stop) 3600 MX 0  (empty)

DomainKeys Identified Mail (DKIM)

You must set a DKIM record on your domain. If you’re using your domain for email, use the correct DKIM records supplied by your email provider (AWS SES, SendGrid, etc).

If your domain does not accept email, you must set a nullified wildcard DKIM record. This will ensure any cached keys will be explicitly removed.

For example, on the domain: *._domainkey.mydomain.gov.uk, you’d set a TXT record to:

v=DKIM1; p=

Mandatory HTTPS, SSL and TLS configuration for domains

Your domains must always:

Your service must always actively:

  • turn off TLS insecure renegotiation
  • turn off TLS insecure protocol downgrade
  • turn off TLS record compression
  • turn off export key generation
  • turn off support for SSL 2

SSL and TLS configuration

You must not use the deprecated SSL protocol. You must use the TLS protocol.

Protocol and version Status
TLS 1.3 Latest
TLS 1.2 Long-term support
TLS 1.1 Deprecated in 2021 (RFC 8896), deprecated by Apple, Google, Microsoft, Mozilla in 2020
TLS 1.0 Deprecated in 2021 (RFC 8896), deprecated by Apple, Google, Microsoft, Mozilla in 2020
SSLv3 Deprecated in 2015 (RFC 7568)
SSLv2 Deprecated in 2011 (RFC 6176)
This page was last reviewed on 10 March 2022. It needs to be reviewed again on 10 June 2022 .
This page was set to be reviewed before 10 June 2022. This might mean the content is out of date.