Route 53 controls domain resolution. Mismanagement can lead to traffic redirection, outages, or exposure. Strong controls around DNS changes and domain protection are critical.
An SPF record must start with the format v=spf1; otherwise, it will be disregarded.
Private VPC Hosted Zone is using .local TLD
Domains used for sending emails should have a corresponding DKIM record that validates the signatures in each official email. This provides clear validation of legitimate emails and helps identify …
RFC 7208 requires a single SPF record for SPF validation. Multiple records will lead to the disregard of domain checks.
Domains marked by ICANN as pending deletion will be available for re-registration by third parties within 30 days
Domains marked as ‘pendingTransfer’ should have their transfer request confirmed as legitimate or cancelled and the domain locked if not intended
Domains marked as ‘inactive’ may be missing vital configuration and are effectively useless
Domains with the ICANN EPP status serverRenewProhibited cannot be renewed and requires action to rescue the domain or otherwise migrate away from it
A ‘serverHold’ ICANN EPP Status Code can indicate an issue with your domain requiring action
A domain with the status of “serverDeleteProhibited” prevents a domain from becoming unregistered. This is potentially a lock but may also stem from legal contests and should be determined
Hosted Zones for domains purchased through the Route53 Registrar come with a default comment. This default comment forfeits the opportunity for labelling and control.
The Sender Policy Framework (SPF) offers a straightforward method for specifying the origins of valid emails, helping to protect your domain from fraud. Domains without SPF records available face …
DMARC policies allow the opportunity to advice external email services how to handle spoofed email for your domain
Lax DMARC policies do not explicitly advertise to mail servers that fraudulent emails should be either quarantined or rejected, guarding your domain’s reputation and allowing for spoofing …
Domains without a transfer lock are missing a key gating tool preventing the theft or sale of domains
Expiring Domains without Autorenew lead to service downtime and signal operational risk. Expired domains can also be captured by malicious parties.
DKIM encryption using key sizes under 1024 bits are trivial to brute force. As DKIM DNS records are public, weak email signatures are discoverable
