Guidance

Get started with your .gov.uk domain name

What to do when your .gov.uk domain name is approved.

• From: Central Digital and Data Office and Cabinet Office
• Published: 7 October 2019
• Last updated: 6 March 2024 — See all updates

1. You must protect your .gov.uk domain

Your .gov.uk domain is a critical digital asset as it shows that your emails and websites are coming from an official UK public sector organisation. Protecting your organisation’s digital identity and reputation is central to maintaining citizen trust in the UK public sector.

If you do not keep your domain name secure, it will be at a higher risk of cyber attack. If attackers take partial or full control of a .gov.uk domain name they can:

• intercept emails and send email impersonating public sector organisations

• take over and vandalise your website

• send your website visitors to inappropriate or illegal sites

• trick users into giving over their personal details like credit card information

• use your domain to access other digital services to cause critical national disruption

The Domains Team and your .gov.uk Approved Registrar will help you manage your .gov.uk domain securely. The team is responsible for overseeing all .gov.uk domains to protect the security of public services. The team also monitors government domains, checking for any errors in how they are configured and finding potential vulnerabilities.

Keeping public sector domains secure is a collective responsibility. You must keep registrant contact details up to date. If you do not do this, and follow the guidance for keeping your domain secure, you could put the wider .gov.uk domain at risk. In that situation the Domains Team can suspend your domain to protect public services.

Read guidance on what to do if you domain is compromised if you suspect something is wrong.

2. Follow the rules for using a .gov.uk domain name 

The Domains Team may suspend your domain if your organisation:

2.1. Allows the domain to pose an immediate security threat or interfere with the secure and stable operation of the .gov.uk domain, and any public sector services that depend on it - we will tell you if this is the case.

2.2. Uses the domain to host a website with ongoing errors or security issues, for example expired security certificates or broken redirects.

2.3. Redirects the domain to a non-public sector domain like .co.uk, .org.uk, .info or .com.

2.4. Uses the domain to advertise commercial products, commodities or services for private individuals or companies not related to your organisation, unless more than 50 per cent of your income is generated from commercial activities.

2.5. Uses the domain for party political purposes, or in a way which could be perceived as being politically biased.

2.6. Violates any UK laws and regulations which are in force from time to time.

2.7. Violates the privacy or publicity rights of another individual or entity, for example by posting untrue content which harms their reputation

2.8. Infringes on the intellectual property rights of another individual or entity, for example by using their trademarks or copyright materials without consent.

3. Understand who is accountable for your domain

The person accountable for the security of your domain will vary depending on what type of organisation you are in. In larger organisations it will usually be the Chief Information Officer or equivalent. In smaller organisations it may be the Chief Executive or equivalent non-elected high-ranking officer, such as the Clerk.

Even if the person accountable for your .gov.uk domain has delegated the job of purchasing the domain from a .gov.uk Approved Registrar, they are still accountable for any terms and conditions signed on their behalf. These terms are usually known as the Registrar Registrant agreement.

4. Understand who is responsible for your domain

The registrant is responsible for the day-to-day running of the domain name. In large organisations this will be a public servant in the IT team or security team. In smaller organisations, such as parish councils this will be the clerk. 

The person or team resonsibile for securely managing your .gov.uk domain name must follow the keeping your domain name secure guidance.

5. Renew your domain names

Your .gov.uk Approved Registrar will send a reminder to renew the .gov.uk domain name and you must pay them to renew it.

If you do not renew a domain name it will be suspended. This means that services such as websites and email addresses related to that domain name will become unavailable.

6. Understand who can make changes to your domain records

The registrant can manage the technical administration of the domain or can delegate this to a Technical Point of Contact, who is the registrar or someone in your internal IT team at your organisation.

7. Build a good relationship with your suppliers

As part of your responsibility to keep your .gov.uk domain secure, a registrant must make sure they can contact the .gov.uk Approved Registrar who manages the domain, website and email, or any other supplier used. This may be one or more suppliers depending on your set up. 

If any of your suppliers stop operating, your services could fail or become unavailable immediately. We recommend you regularly review the standard of service from any suppliers you use. You can move to another supplier if you believe you are not getting the service you need. Follow guidance on how to choose a .gov.uk Approved Registrar.

8. Keep domain contact details up to date

Every domain name contains contact details including the name of the registrant, email address and supplier information. This is kept in a public record by  the Registry.called the Registration Data Access Protocol (RDAP) WHOIS database.

Use the WHOIS lookup tool to check your contact details are up to date to lower the risk of your domain name being compromised.

Contact your supplier to update your Registry WHOIS record with any changes, for example when someone leaves.

Do not use a personal email address as a contact. You must use a public sector, role-based email like ‘clerk@[your-organisation].gov.uk’ or ‘IThelpdesk@[your-organisation].gov.uk’

Check that contact details work by making sure they do not contain any spelling mistakes and by testing them.

9. Use strong passwords for services and devices

Choose a strong password for:

• all your devices

• website logins 

• email accounts

• domain portals, if you are managing your own technical records

The National Cyber Security Centre recommends using three random words. You can also use a password manager.

If you access your supplier’s portal to make changes to your domain records, use a supplier that offers multi-factor authentication (MFA) also known as 2-Factor Authentication (2FA). 

For example, when you log in to your supplier’s portal you will be asked for a password and then to input a code sent to your smartphone. This will help lower the risk of someone hijacking your domain name. 

To make sure your accounts are protected with MFA you will need:

1. Access to a device that supports MFA.

2. To ask your supplier to switch on MFA and help you set it up.

3. To switch to a supplier who uses MFA if your current supplier does not provide this option within a reasonable time frame.

10. Protect unused domains

Unused domains are vulnerable to hijack because they are not managed. They are a risk to your organisation, and to the security and integrity of public sector services.

You must check your domains and any accounts associated with them at least every 6 months to see if they’re still being used. If your organisation changes name, ceases to exist or no longer needs the domain, you must take steps to secure the domain properly.

Do not simply stop paying your domain renewal fee when you want to stop using your domain. To secure it properly, you must follow the steps in the guidance on how to stop using your .gov.uk domain.

The Domains Team may contact you to ask about how you’re using your domains. If the team asks you to secure an unused domain, you must do this.

11. Manage any subdomains you create

You are only allowed to delegate .gov.uk subdomains to other public sector organisations. You must not delegate any .gov.uk subdomains to commercial organisations.

If you’re a large organisation you may choose to create subdomains under your .gov.uk domain. For example, DWP uses dwp.gov.uk and they can create a subdomain called careers.dwp.gov.uk. This subdomain could be created for other teams to use inside or outside your organisation. 

Subdomains are difficult to keep track of and your subdomain estate can grow uncontrollably making it difficult to protect them.

We recommend that you share your zone files regularly with the Domains Team so that we can monitor your subdomains for vulnerabilities. Email support@domains.gov.uk for more information.

If you are going to issue subdomains outside of your organisation, you are still responsible for keeping these subdomains safe. This means that you must:

• keep the contact details for each subdomain up-to-date

• make sure each organisation you issue a subdomain to agrees to keeping it safe

Follow the guidance on creating and managing .gov.uk subdomains in the public sector for more information.

12. Act quickly if the Domains Team contacts you

The Domains Team monitors all .gov.uk domains to protect them against loss, damage or hijack by continuously monitoring for and detecting vulnerabilities.

If the Domains Team finds an issue we will report the issue to your Technical Point of Contact to fix. The Technical Point of Contact must implement any fixes recommended by the Domains Team promptly or tell us what actions they are going to take to mitigate the risk.

Threats can escalate quickly. In high risk circumstances, we might make emergency changes to protect any impacted public sector services, but will attempt to contact your Technical Point of Contact before doing this.

If issues cannot be fixed in a timely manner the Domains Team may suspend or withdraw your domain to protect the public sector.

Published 7 October 2019
Last updated 6 March 2024 + show all updates

1. 6 March 2024

   This page now contains information from the "How you are accountable for protecting your .gov.uk domain" page which has been unpublished and redirected to this page. This helps to reduce duplication and provide information in one place.

2. 6 March 2024

   We have merged ‘How you are accountable for your domain into this page to put all relevant information in one place and avoid repetition. We have moved or added the following sections to this page: - You must protect your .gov.uk domain - Follow the rules for using a .gov.uk domain name - Understand who is accountable for your domain - Understand who is responsible for your domain - Understand who can make changes to your domain records - Use strong passwords for services and devices - Protect unused domains - Manage any subdomains you create - Act quickly if the Domains Team contacts you

3. 30 June 2022

   Changing to a non-technical easier to follow 5 step process to help users get started once they have their .gov.uk domain.

4. 5 May 2021

   The Domain Management team has now moved to the Central Digital and Data Office. This update removes any references to the Government Digital Service (GDS).

5. 29 April 2020

   Updated to link to the 'Keeping you domain name secure' guidance and remove any repetition.

6. 6 March 2020

   Making it clearer who to contact for help by adding in a contacts section

7. 19 December 2019

   Clarifying guidance for protecting domain names

8. 7 October 2019

   First published.