Domain Naming Standard
All MOJ services should be served from *.service.gov.uk
or
*.service.justice.gov.uk
domains. MOJ infrastructure or justice-wide services
may be eligible for a *.justice.gov.uk
domain.
Getting a domain
Please refer to How to get, register or manage a domain name.
Which domain do I need?
service.gov.uk
The GOV.UK service manual sets out when
and how to get a *.service.gov.uk
subdomain.
In short, *.service.gov.uk
subdomains are for public-facing services which
have passed their beta assessment.
service.justice.gov.uk
All other MOJ services should use a *.service.justice.gov.uk
subdomain.
This includes:
- public-facing services which haven’t yet passed a beta assessment (but may be in private beta)
- internal-facing services
However, cloud-hosted software-as-a-service used by MOJ staff (like Google
Workspace or Microsoft365), or on which MOJ has a corporate presence (like
GitHub or Trello) are not required to be served from a
*.service.justice.gov.uk
subdomain.
Cloud Platform and Modernisation Platform
If you’re using the Cloud Platform or Modernisation Platform to host your service, you will get a subdomain that uses the service name of the platform. These domains aren’t for production use, but will be a variation of:
*.cloud-platform.service.justice.gov.uk
, or*.modernisation-platform.service.justice.gov.uk
When your service is ready to go live, we will work with you to get a
production-ready <application>.service(.justice).gov.uk
domain.
justice.gov.uk
Only services which are core, MOJ-wide infrastructure, like email or
videoconferencing, or are otherwise applicable to users across the entire
justice system (like the intranet) can use a *.justice.gov.uk
subdomain.
Contact the Operations Engineering team to find out if your service is eligible.
Staff-facing sites
Any staff-facing sites should also use *.service(.justice).gov.uk
domain.
For example staff.prisonvisits.service.gov.uk
is the staff-facing side of
www.prisonvisits.service.gov.uk
.
Non-production environments
This standard includes non-production environments. For those, use this domain naming pattern:
<application>.<environment>.<service-name>.service(.justice).gov.uk
For example: staff.staging.prisonvisits.service.gov.uk
.
This pattern makes the relationships between domains clear, grouping environments by service and applications by shared environment.
Non-production environments and hosted prototypes should also use authentication (such as HTTP basic auth) to prevent public users who come across them thinking they’re real.
Non-production environments can also use different styling as a way of making it clear to users which environment they’re in - but that’s more useful for people working on the service to not modify data in production than to keep users out. GOV.UK publishing apps do this, for example compare GOV.UK Signon in their Staging and Production environments.
Welsh language versions of sites and domain naming
Services funded by the Welsh Government can apply for a .llyw.cymru and .gov.wales domain. This doesn’t apply to most services using *.service.justice.gov.uk
or *.justice.gov.uk
domains.
If you are hosting a Welsh language version of your service you would still use your current registered domain. Any Welsh language pages should be handled at an application level, rather than having Welsh language in the domain name.
For example the Welsh language version of magistrates.judiciary.uk
should be magistrates.judiciary.uk
, not ynad.judiciary.uk
.
Non .gov.uk
domains
Domains that don’t end in .gov.uk
should not be used for MOJ services.
If you use one, please refer to How to get, register or manage a domain name. The Operations Engineering team will provide
you with a .gov.uk
domain as set out above, and will help you deprecate your
old domain.
You should use a .gov.uk
subdomain, as above, for these reasons:
- Public government things should on principle be on government domains
- The ownership of a gov domain can be tracked to a government body by a member of the public
- By using .gov.uk we never have the problem that a domain’s control is lost to a previous supplier or staff member who set it up and moved on
- Domain renewals are easier to keep on top of when centralized. When the domain is not renewed, it can be bought by a squatter and used for phishing and scams
- The Service Manual says not to use the crown, New Transport font etc
if your service isn’t on a
gov.uk
domain - Unfamiliar domains look untrustworthy, putting off users including internal staff from using the service
- Normalizing the use of unfamiliar domains increases the risk of phishing
- NCSC’s Takedown Service will likely take down the site if you’re using GOV.UK Design System, the crown, New Transport font etc; and it’s not on a .gov.uk domain
- Google’s anti-phishing protection could at any time flag a site as ‘deceptive’ if it looks like a GOV.UK site but is served on a non .gov.uk domain. We’ve experienced several occasions when this happens, likely because of the use of the crown, New Transport font or “GOV.UK” text at the top left. Chrome users cannot use the site - instead they see this error:
Exemptions (where you can use a non-gov.uk
domain)
The GOV.UK Proposition
sets out an exemption criteria to use a non-gov.uk
domain.
If your service falls into What does not go on GOV.UK:
- follow the GOV.UK exemptions guidance
- request an exemption from GOV.UK
- once approved, forward the approval to the Operations Engineering team
The Operations Engineering team will then:
- work with you to register your domain
- manage renewals for the domain
- set up the domain to adhere to the MOJ’s Security Guidance
Assessing Existing Domains
If you already have a domain that you are using to provide Ministry of Justice Services, you can follow these steps assess the domain’s compliance with our standards:
- ✅ If the domain name ends with
gov.uk
, it is compliant with our standards. All domains with this Top Level Domain will have gone through the relevant checks and approvals before being created. - ✅ If the domain name does not end with
gov.uk
, check if the domain is owned by the Ministry of Justice. After, check if the domain is deprecated. If the domain is owned by the Ministry of Justice and is not deprecated, then it is probably compliant with our standards. It still may be worth considering migrating the service to thegov.uk
domain where appropriate - but this is not a requirement in all cases.
Check if a Domain is Owned by The Ministry of Justice
You can check if the domain is owned by the Ministry of Justice by looking up the domain name in our public DNS Repository. If the Second Level Domain is owned by the Ministry of Justice, in most cases there will be Hosted Zone file for the domain in the repository.
Example: If you have a domain called
testing.example.com
, you can look up the domain in the DNS Repository to see if there is a Hosted Zone file forexample.com
which should be calledexample.com.yaml
.
If there is not a Hosted Zone file for the domain, the domain may still be owned by the Ministry of Justice. To verify if the domain is owned by the Ministry of Justice, contact the Operations Engineering Team to confirm.
‼️ If you are providing Ministry of Justice Services on a domain that is not owned by the Ministry of Justice, please contact the Operations Engineering Team to discuss transferring the domain to the Ministry of Justice.
Check if a Domain is Deprecated
Deprecated domains may still serve Ministry of Justice Services, but we will no longer accept new requests to provision new services on the domain. If you run Ministry of Justice Services on a domain that is deprecated, you should consider migrating the service to a gov.uk
domain.
Below is a list of deprecated domains:
dsd.io