Domain

Useful for

Identity and accessExternal presenceCompany readinessAgentic delivery

Introduction

The company domain is part of the trust boundary. It anchors identity, email, DNS, the corporate website, customer communication and future product endpoints. If domain ownership or DNS control is unclear, the company can inherit avoidable security, operational and recovery risk.

Key considerations

Domain ownership should sit with the company, not an individual.
Registrar access should be controlled and recoverable.
Root DNS hosting should be deliberate and documented.
DNS administrator access should be limited.
DNS changes should be treated as critical business changes.
Alerts should exist for DNS changes that could affect identity, email, website availability,

customer routing or service trust.

Root DNS may be managed in Azure if that aligns with the operating model, but the responsibility

for changes must be clear.

Domain verification for Microsoft 365 and Azure should be recorded.

DNS change monitoring

DNS changes can break email, SSO, the public website, product routing, certificate validation and customer trust. The company should monitor and alert on critical DNS changes, especially:

MX records.
SPF, DKIM and DMARC records.
CNAME records used for Microsoft 365, SSO, website hosting or product endpoints.
TXT records used for verification.
NS records.
A and AAAA records for public services.
Certificate validation records.

Alerts should go to people who understand the business impact, not only to whoever has DNS access. Every material DNS change should have an owner, reason and rollback path.

How this evolves as the company grows

At company setup, choose the tenant, root domain, registrar and DNS owner deliberately because these become trust anchors.

Before POC, make sure DNS and domain ownership are recorded so product environments do not depend on unclear foundations.

Before Production, domain, certificate and public entry-point ownership need renewal owners, alerts and evidence.

As the company scales, DNS and domain changes should be treated as critical business changes with monitoring and review.

What an agent should look for

Who owns the domain and DNS?

Are expiry and critical changes monitored?

Which systems depend on this domain?

What good looks like

The company can explain the decision, show the evidence behind it and identify the next point where the control needs to mature.

How Brokenhouse helps

Turn this into a practical plan.

I help technology teams turn this guidance into decisions, implementation plans, governance evidence and production-ready operating models.

Talk through your situation

Next guidance

Related decisions to work through

View all guidance

Agent-led consultancy should amplify judgement

Agents should not replace expert judgement. They should help capture, structure, challenge, and reuse it.

Platform

Azure Dev Platform Modernisation

Describe the organisation, product, team shape, delivery model, and operating constraints.

Agentic software delivery governance

Agents used by the delivery team need a different governance model from AI models embedded in the product. Delivery agents may not be part of the customer-facing service, but they can still create risk because they may read code, write code, inspect logs, summarise documents, generate infrastructure changes or draft customer-facing material.