Apex or www, and does it matter?

Pick one before launch and 301 the other to it, because both serving content is duplicate content and a soft signal of a poor setup. Apex (example.com) is the modern default: cleaner and more memorable. The www variant is historically standard and easier for CDN CNAME records, since an apex CNAME is technically forbidden though most providers offer ALIAS or ANAME. Whichever you choose is painful to change later, so make the call early and enforce it with a redirect plus forced HTTPS on both.

Subdomain, subfolder, or separate domain?

Default to a subfolder (example.com/blog) so SEO equity flows to a single hostname. Use a subdomain (blog.example.com) when the section runs on a different stack or platform and is organizationally separate, and a separate domain only when it is a genuinely different brand and audience. Subdomains fragment SEO equity across hostnames, so the case for one has to be made; the default is always the subfolder.

How do I protect the domain itself?

Lock the registrar, enforce 2FA on the account, keep auto-renew on, and default WHOIS privacy and a transfer lock. Domain hijacking is real and costly, and turning auto-renew off 'to save money' risks a dropped domain being snapped up at ten times the cost or becoming unrecoverable. Add CAA records so only your chosen certificate authorities can issue certs for the domain, which closes off a misconfigured ACME client issuing a cert you did not authorize.

How should I handle parked domains?

Three strategies are valid: 301 every path to the primary site (best for defensive registrations close to your brand), hold the domain blank (a simple page or NXDOMAIN, fine for domains you may use later), or a basic coming-soon page (lowest value). Avoid registrar default parking pages, which serve ads against your brand for the registrar's benefit, and never let a parked domain serve thin or near-duplicate content from your main site for SEO, because search engines penalize doorway pages rather than rewarding them.

How is this different from content-migration?

Domain strategy owns DNS architecture, canonicals, registrar configuration, and the portfolio of domains. Content-migration owns moving content between platforms, domains, or URL structures, with its full redirect map, cutover, and 30-to-90-day recovery window. Email authentication records (SPF, DKIM, DMARC) belong to email-deliverability even though they live in the zone this skill manages, and internationalization domain choices belong to that skill.

Skill · Domain strategy

Domain strategy.

Decide how domains, subdomains, and DNS work across the portfolio.

Decide how domains, subdomains, and DNS work across a portfolio, whether one site or a hundred. Every decision falls into five buckets, addressed in order: apex vs www, subdomain vs subfolder vs separate domain, registrar strategy, DNS provider, and parked-domain strategy. The work starts from a full inventory, because a strategy that cannot account for every domain is not accurate.

Several of these choices are painful to change later, so they get made before launch, and the registrar account itself is hardened, because domain hijacking is real and costly.

Audience: engineering and ops teams setting up DNS for a new site, choosing registrars, planning redirects across domains, or consolidating a portfolio.

View the skill on GitHub Browse the full catalog

The framework

Five decisions, addressed in order.

Every domain decision falls into one of these. Several are hard to reverse, so make them deliberately and early.

01Apex vs www as canonical: pick one before launch and 301 the other to it. Both serving content is duplicate content. Apex is the modern default; www is easier for CDN CNAMEs.
02Subdomain vs subfolder vs separate domain: default to a subfolder so SEO equity flows to one hostname. A subdomain suits a different stack; a separate domain a different brand. The case against subfolder has to be made.
03Registrar strategy: lock the registrar, enforce 2FA, keep auto-renew on, and default WHOIS privacy and a transfer lock. Domain hijacking is real and costly.
04DNS provider: an anycast network for fast resolution, DNSSEC support, API access, and audit logs, with a minimal, intentional record set (A or AAAA, MX, TXT for SPF, and CAA).
05Parked-domain strategy: 301 defensive domains to the primary, hold others blank, and avoid registrar default parking pages that serve ads against the brand. Never thin content for SEO.

What to lock down

Decide canonicals early; harden the registrar.

Pick the canonical (apex or www) before launch and 301 the other to it, because changing it later is painful and both serving content is duplicate content plus a soft signal of a poor setup. Use a 301 rather than a 302 everywhere a redirect is intended, since SEO equity passes reliably only through a permanent redirect.

The registrar account is a security surface. Lock it, enforce 2FA, keep auto-renew on (a dropped domain gets snapped up and costs ten times more, or becomes unrecoverable), and add CAA records so only your chosen certificate authorities can issue certs. Default WHOIS privacy and a transfer lock round it out.

Parked domains earn their keep by redirecting or staying blank, never by serving thin or near-duplicate content for SEO, which search engines penalize as doorway pages. And a new content section defaults to a subfolder, because subdomains fragment SEO equity across hostnames and the case for one has to be made deliberately.

Reference files

The reference that goes alongside the SKILL.md.

references/dns-record-reference.md
Common DNS records explained, with the syntax for the most useful ones (A, AAAA, CNAME, MX, TXT, CAA, SRV) and when each is needed.

Browse all reference files on GitHub

Bridges to other skills

The skills that share the DNS zone.

Domain strategy owns the portfolio and the records. These cover the moves, the email authentication, and the monitoring that sit alongside it.

URL changes
content-migration
Moving content between platforms or URL structures is a migration, with its own redirect map and cutover. Domain strategy owns the canonical and the DNS; the migration owns the content move.
Email records
email-deliverability
SPF, DKIM, and DMARC live in the DNS zone this skill manages, but the authentication setup itself is email-deliverability's job. This skill keeps the zone clean; that one tunes the records.
HTTPS and CAA
security-baseline
HTTPS enforcement and security headers sit in the baseline, while CAA records that lock down certificate issuance are a DNS decision here. The two meet at the edge.
Watching the records
monitoring-and-alerting
Certificate expiry, DNS resolution, redirect chains, and renewal dates all need alerts. This skill defines what to watch; monitoring wires up the alerts.

Open source under MIT

Read the SKILL.md on GitHub.

The skill source lives in the rampstackco/claude-skills repository alongside dozens of other skills covering the full lifecycle of brand and product work. This page is a structured overview; the SKILL.md is the source. MIT licensed.

View SKILL.md Browse the full catalog

Frequently asked questions.

Apex or www, and does it matter?: Pick one before launch and 301 the other to it, because both serving content is duplicate content and a soft signal of a poor setup. Apex (example.com) is the modern default: cleaner and more memorable. The www variant is historically standard and easier for CDN CNAME records, since an apex CNAME is technically forbidden though most providers offer ALIAS or ANAME. Whichever you choose is painful to change later, so make the call early and enforce it with a redirect plus forced HTTPS on both.
Subdomain, subfolder, or separate domain?: Default to a subfolder (example.com/blog) so SEO equity flows to a single hostname. Use a subdomain (blog.example.com) when the section runs on a different stack or platform and is organizationally separate, and a separate domain only when it is a genuinely different brand and audience. Subdomains fragment SEO equity across hostnames, so the case for one has to be made; the default is always the subfolder.
How do I protect the domain itself?: Lock the registrar, enforce 2FA on the account, keep auto-renew on, and default WHOIS privacy and a transfer lock. Domain hijacking is real and costly, and turning auto-renew off 'to save money' risks a dropped domain being snapped up at ten times the cost or becoming unrecoverable. Add CAA records so only your chosen certificate authorities can issue certs for the domain, which closes off a misconfigured ACME client issuing a cert you did not authorize.
How should I handle parked domains?: Three strategies are valid: 301 every path to the primary site (best for defensive registrations close to your brand), hold the domain blank (a simple page or NXDOMAIN, fine for domains you may use later), or a basic coming-soon page (lowest value). Avoid registrar default parking pages, which serve ads against your brand for the registrar's benefit, and never let a parked domain serve thin or near-duplicate content from your main site for SEO, because search engines penalize doorway pages rather than rewarding them.
How is this different from content-migration?: Domain strategy owns DNS architecture, canonicals, registrar configuration, and the portfolio of domains. Content-migration owns moving content between platforms, domains, or URL structures, with its full redirect map, cutover, and 30-to-90-day recovery window. Email authentication records (SPF, DKIM, DMARC) belong to email-deliverability even though they live in the zone this skill manages, and internationalization domain choices belong to that skill.