Domain Registration and Management Policy

PURPOSE AND SCOPE

The City adopts this standard for domain requests, registration, and management. This policy is intended to:

• Increase trust in City websites​
• Ensure website security and reliability​
• Prepare the City to comply with the State Law AB1637 in 2029

The requirements identified in this policy apply to all information resources operated by or for the City and its departments, and commissions unless a department’s or commission’s external web domain or email system falls outside the applicable definition of a local government agency as codified in AB1637. Elected officials, employees, consultants, and vendors working on behalf of the City must also comply with this policy.

POLICY STATEMENT

The policy requires all departments to:

1. Register and renew their existing public-facing domains with the Department of Technology (DT) by December 31, 2025
2. Create plans for their websites and email to move to the SF.gov domain or a subdomain by June 30, 2026.
3. Migrate websites and email by January 1, 2028
4. Departments wishing to request a new, non-SF.gov domain, must follow the process outlined below as of [policy effective date]
5. Departments with existing .gov domains (e.g., San Francisco Airport, Public Utilities Commission, and Municipal Transportation Authority) prior to the adoption of this policy are not subject to the standards contained herein.

POLICY DETAILS / REQUIREMENTS

Existing domain registration and maintenance

1. Departments must transfer their domain registration to DT by December 31, 2025. Departments should start the process no later than June 30, 2025.
   1. Departments may submit a request to the City CIO to continue managing their own domain registration until migration to SF.gov.
2. Registered domain settings. DT will set the following controls for all domains, including parked and redirected domains:
   1. Enable domain locking.
   2. Enable domain expiration protection.
   3. Enable auto-renewal.
   4. Set contact information to organizational information such as a distribution list, shared mailbox, or similar, rather than to an individual person’s name, mailbox, and phone number.
3. Digital and Data Services (DDS) will recommend domains for deprecation if all service(s) using the domain are out of date or the department cannot identify an owner. DDS will analyze and contact departments for all existing known domains by December 31, 2025.
4. DT and DDS will publish an open data set of all known City domains with associated registrar, department, and owner information by December 31, 2025.
5. DT will maintain City registered domains with an authoritative DNS and certificate management authority, including after a website deprecation, for a minimum of two years. ​

New domain request process

Creation of new domains is discouraged. Departments requesting a new domain must provide in writing (at a minimum):

• A specific, named, department owner
• Evidence of a planned life longer than six months
• A governance and maintenance plan
• A plan to meet SF’s Digital Accessibility and Inclusion Standard, if applicable
• Analysis on the use of SF.gov domain for their needs, including specific requirements that cannot be met by using the sf.gov domain.
• Plan on migration of the service to Sf.gov

DDS and DT will review to confirm if new domains meet these requirements. Any approved new domain will only be temporary and must be deprecated by 2029 to comply with state law.

Subdomains

Departments requesting a subdomain of SF.gov must engage with DDS and DT to ensure alignment with the City's subdomain standard before a subdomain will be approved. The registration of such subdomains may, at department option, be set to use department-managed authoritative name servers, so that department IT can manage DNS records for the subdomain.

To support the City under a unified SF.gov domain by 2029, the COIT Policy Review Board (PRB) in collaboration with DDS will develop a subdomain standard for the City by June 2025 and submit it for review by PRB and approval by COIT.

This standard will include guidance for clear subdomain purposes and naming conventions, as well as the process departments must follow to request a subdomain.​

ROLES AND RESPONSIBILITIES

• Department of Technology
  • Publish data set of all City-registered domains
  • Register, renew, and maintain domains for departments
• Digital and Data Services
  • Work with PRB subject matter experts to develop subdomain standard
  • Review new domains for business requirements
  • Support communications for migration and deprecation plans for existing domains
• Department Technology Leadership
  • Transfer domains to DT
  • Create sf.gov domain migration plan with DDS
  • If necessary, consult with City Attorney regarding AB 1637
• City Attorney
  • Consult with departments to provide guidance on whether AB 1637 applies to their public-facing domains.

DEFINITIONS

• Domain - A domain is like your website's "address" on the internet. Just like you have an address for your home, a domain (e.g., example.com) helps people find your website online.
• Subdomain - A subdomain is like an extra part of your main address. For example, if your domain is example.com, a subdomain might be blog.example.com or store.example.com. It's often used to organize different sections of a website.
• Register - To register a domain means to officially claim and buy it so that you own the "address." You do this through a domain registrar, a company that sells and manages domain names.
• Redirect - A redirect is like forwarding someone to a new address. If someone types in an old or different web address, a redirect automatically sends them to the correct website.
• Domain locking - Domain locking is like putting a lock on your address to prevent it from being stolen or moved without your permission. It ensures no one can transfer your domain to another provider without your authorization.
• DNS (Domain Name System) - The DNS is like the internet's phonebook. It matches your domain name (e.g., example.com) to the correct "phone number" (IP address) so that people can visit your website. It helps browsers know where to find your site on the internet.
• Public-facing - Refers to anything intended for the public or external audiences, including customer service, websites, or public communications that represent an organization to the outside world.

EXCEPTIONS

This policy allows no exceptions.

COMPLIANCE

CA .gov domain policy AB1637: Requires all government websites to be on a .gov domain. Effective date: January 1, 2029

REFERENCES

• CA .gov domain policy AB1637
• ICANN Domain Name Registration Process ​
• Canada's DNS services management summary ​
• California domain registration ​
• UC Berkeley domain registration policy, including procedures and responsibilities

APPENDIX

SF.gov Domain Policy Transition and Implementation guide