DNSSEC

DNSSEC — DNS Security Extensions — adds a layer of cryptographic verification to DNS. Ordinary DNS has no built-in way to prove that the answer you received actually came from the legitimate owner of a domain, which leaves room for certain attacks that forge DNS responses and redirect traffic. DNSSEC signs DNS records so that resolvers can confirm they're authentic and unaltered.

In practice, DNSSEC is something you enable at your DNS provider and your domain registrar, which coordinate to publish and validate the signatures. When it's on, recipients of your DNS information can trust it hasn't been tampered with in transit.

It's not the first thing most small organizations turn on, but it's a reasonable hardening step for the DNS that underpins your domain — particularly as your domain becomes more critical to your operations.