Is it safer for an agency to manage hosting and domains?

It can be safer if governed correctly. Agencies typically respond faster to incidents and prevent SEO regressions from DNS/SSL lapses. Safety depends on transparent ownership, role-based access, clear SLAs, and a no lock-in handover policy.

How do we avoid vendor lock-in?

Keep the client as domain registrant and billing owner; document all systems; use shared password managers; maintain a current handover pack; and contractually require timely handback with no penalties.

Who should own the domain name?

The client. The agency should be listed as technical contact with access to registrar, DNS, and hosting via named users, not shared logins.

What’s the minimum SOP set?

Joiners-Movers-Leavers (JML) access process, DNS/SSL change procedure, backup & restore drill, incident response runbook, and quarterly review of access and expiries.

SEO & Branding

Why Agencies Should Manage Client Hosting & Domains (Without Lock‑In)

By Dominik Kowalski · Updated 21 Aug 2025 · 12–16 min read

Purpose: Reduce operational risk and SEO regressions with a transparent, client‑first governance model that keeps ownership with the client and agility with the agency.

TL;DR: Let the client own the domain and billing. Give the agency technical control via named accounts, documented SOPs, and SLAs. Maintain a handover pack to eliminate lock‑in. Review access quarterly. Result: faster incident response, fewer DNS/SSL mistakes, and more stable SEO.

Why agency‑managed infrastructure improves outcomes

Faster incident response: Agencies can fix outages, mixed content, or broken redirects within minutes.
SEO stability: Fewer regressions from DNS misconfig, TTL mistakes, or expired SSL.
Single accountability: One team owns the release calendar across DNS, hosting, and CMS.

Downside risks—vendor lock‑in and opaque access—are solved by a client‑first governance model.

Governance model: ownership vs. control

Area	Client owns	Agency controls	Notes
Domain (registrar)	Registrant, billing profile	Technical contact, renewal reminders	Use auDA/ICANN compliant registrars; keep WHOIS accurate.
DNS	Primary zone ownership	Zone edits via named users	Prefer providers with versioning and audit logs (e.g., Cloudflare).
Hosting	Contract and budget	Provisioning, scaling, WAF, caching	AU region for AU audiences; see AU hosting guide.
Certificates	Certificate policy	Automation (ACME), renewals	Auto‑renew with monitoring and expiry alerts.
Backups	Retention policy	Schedules, restore tests	Quarterly restore drill, including database.

Access control (RACI + named users)

Use named accounts with 2FA, no shared logins. Map responsibilities with RACI.

System	Client	Agency	Notes
Registrar	Account Owner (A/R)	Technical Contact (C/I)	Client controls billing; agency receives renewal alerts.
DNS	Owner (A)	Editor (R)	Require change tickets for MX/SPF/DMARC/DKIM updates.
Hosting	Budget approval (A)	Ops/SRE (R)	Agency manages scaling, WAF, caching, PHP/runtime updates.
CDN/WAF	Owner (A)	Admin (R)	Enable HTTP/3, TLS 1.3, page rules, and bot mitigation.
CMS	Publisher (R)	Admin (R)	Least privilege for editors; audit plugin/theme changes.

R=Responsible, A=Accountable, C=Consulted, I=Informed

Minimum SOP set (copy/paste)

JML (Joiners‑Movers‑Leavers): Provision on day 1; review on role change; revoke within 24h of exit. Quarterly access review.
DNS/SSL changes: Change ticket → low TTL → window → implement → validate (A/AAAA, MX, CAA, SPF, DKIM, DMARC) → raise TTL.
Backup & restore: Nightly app/db backups; offsite copy; quarterly full restore test with checksum.
Incident response: Priorities, comms channel, on‑call rotation, status updates cadence, post‑incident review within 72h.
Release management: Staging approvals, smoke tests, rollback plan, change log.

AU‑specific considerations

Data residency: Host in AU regions when contracts require it; ensure backups/logging are AU‑based.
Availability & latency: Use AU POPs for CDN; aim for AU TTFB <800 ms (preferably <500 ms).
Regulatory: Follow auDA eligibility for .au domains; respect OAIC privacy guidelines.

References: auDA, ICANN, Google Search Central.

Handover and no lock‑in policy

Commit in writing to a clean exit. Maintain a living handover pack:

System inventory (registrar, DNS, hosting, CDN, CMS, monitoring) with admin URLs.
Account roles and current named users.
Backup and restore procedures with last drill date.
DNS zone export and SSL certificate details.
Change history for the last 90 days.

When transitioning, schedule a joint maintenance window and keep TTLs low for 48–72 hours.

Risk register (common)

Risk	Impact	Mitigation
Expired SSL	Downtime, SEO trust signals drop	ACME automation, expiry alerts, secondary validation method
Misconfigured DNS	Email delivery, site outage	Change tickets, zone versioning, peer review, low TTL windows
Access sprawl	Security incidents	JML process, quarterly access review, 2FA required
Unverified backups	Data loss	Restore drills, checksum verification, offsite copies

Need a template set? For governance packs, change tickets, and release checklists, see Resources & Tools. If you need hands‑on help, Dominik Digital Marketing offers technical SEO and infrastructure governance advisory. Start with a site & infra assessment or visit directly: https://domdigitalmarketing.com.au/.

Why agency‑managed infrastructure improves outcomes

Governance model: ownership vs. control

Access control (RACI + named users)

Minimum SOP set (copy/paste)

AU‑specific considerations

Handover and no lock‑in policy

Risk register (common)

Where to go next