Owning a domain name is not just finding the right domain and ensuring the domain is renewed each year. It is a long-term commitment to protecting it from expiration and common poor practices like unauthorized transfers and hijacking. This post will go over some tips for keeping your domain safe and ensuring you are following all the requirement set by ICANN. It is also worth checking out the good practices for managing domain registrations and keeping them safe from harm as recommended by ICANN.
Keep domain contact information up-to-date and accurate
When registering a domain name the registrant is required to provide contact details to the registrar.
This information is then published in the WHOIS database, allowing registrants to be contacted for domain-associated technical or operational matters, or security concerns etc.
No matter if the registrant has their contact information displayed or hidden in Whois (due to active Whois privacy protection or for GDPR reasons), registrants should make sure that the information is accurate and up-to-date at all times.
Otherwise, registrants will not be able to get important notifications about their domain names regarding expiration, transfer or Whois contact update verification.
Also, if a domain has been compromised, the registrant would not be contacted by security researchers.
Potential business partners who want to establish a contact with the registrant, if a company, will not be able to get in touch with the registrant either.
According to the Whois Data Reminder policy of ICANN, accredited registrars are required to send annual email reminders to registrants regarding the accuracy of their contact information.
This email requires that registrants review their contact information and make corrections if necessary.
Ignoring this email may lead to really unpleasant consequences for the registrant including:
- leaving their domain to expire, this may result in them having to spend lots of time, effort and expense to recover it, or it may not be recoverable at all;
- missing notifications about unauthorized changes to a domain name registration and allowing bad actors to gain access to an account and hijack a domain name;
If a registrant’s contact information is not kept up-to-date or if the registrant does not respond to domain accuracy inquiries by their registrar, the given domain could be suspended or even cancelled as per ICANN’s Whois Accuracy Policy.
To prevent this from happening, a registrant should update their contact information promptly in the event of a change to the name, postal address, email, phone number, etc.
Each domain TLD has its own transfer rules
Each domain registrant has the right to transfer a domain name to another registrar or registrant, as outlined in the ICANN’s Transfer Policy.
To do that, they should keep in mind a few important ICANN rules, as follows:
- A domain name cannot be transferred to a new registrar/registrant within 60 days of a change to the registrant or administrative contact information. This is why a registrant may consider completing the transfer process prior to making a change;
- Usually, a domain name may not be transferred within the first 60 days of the initial registration of a domain name, or within 60 days of a transfer;
- A domain transfer can only be initiated by the registered name holder or the administrative contact for the domain name. This aims to prevent unauthorized transfers of a registrant’s domain name.
This is also the reason it’s important to keep domain contact information up-to-date.
Best practices for resolving a domain transfer issue
If a domain registrant experiences problems making a transfer, they could consider the following tips and suggestions on what might be the reason for the issue and how to resolve it.
1. There are a few instances when a registrar cannot transfer a domain name, such as:
- The domain name is subject to a 60-day change-of-registrant lock, as explained earlier;
- The transfer request has been initiated within 60 days of the initial registration or a previous transfer;
- The domain is locked with the current registrar and in ‘Registrar Lock’ or ‘Client Transfer Prohibited’ status;
- The domain is the subject of an ongoing Uniform Domain Name Dispute Resolution Policy (UDRP), Transfer Dispute Resolution Policy (TDRP) or Uniform Rapid Suspension (URS) proceeding;
- The domain is subject to a court order;
2. Depending on the registration agreement a registrant has signed with their registrar, the latter may deny a transfer due to the following reasons:
- evidence of fraud report;
- the person who initiates the transfer is not actually listed as the registrant of record;
- the registrant has an outstanding payment for a previous registration period;
While ICANN regulates domain transfers via their policies, it is not a registrar and does not engage in the transfer process itself.
For that reason, when having issues transferring a domain name the registrant should always contact their registrar for assistance.
If the issue persists, then the registrant can submit a formal Transfer Complaint with ICANN.
How to protect a domain name from cyber crime
Whether used for business or personal purposes, a domain name is a valuable asset, which should be managed with utmost care.
Here are some practices to help registrants prevent their domains from being hijacked or transferred against their will, as per ICANN’s recommendations:
1. Use an email address not associated with the domain name itself
When providing an email address for the Whois record at signup the registrant should use an email address that is not associated with the domain name they register.
For instance, if their domain name is example.com, it is best to use an address that is not email@example.com.
By maintaining a different email address for the Whois record the registrant will be able to prove ownership in any eventual cases of hijackers having gained control of their domain name.
They will be able to provide that email address as evidence to the registrar that they are the registered holder of the domain name in question before it was altered by unauthorized access to their account.
2. Create a strong password and enable 2FA
Domain owners bear full responsibility for the security of their domain name.
They should create a secure password for their domain name account and use it for that account exclusively.
At Thexyz you can enable two-factor authentication or YubiKey authentication to further secure an account.
Also, they should not share the login details with anyone, including their web designer.
3. Keep a domain name with a transfer lock on
Putting a transfer lock on a domain name is another safety measure a registrant can take against unauthorized transfers or hijacking.
Each registrar has adopted its own way of implementing the transfer lock option.
For instance, our customers can lock/unlock their domains themselves with a clock from the Account Portal, while some registrars will do that for the registrant per request.
4. Beware of incorrect registrant information (for organizations)
As per ICANN’s rules, if a legal entity is listed in the Registrant Organization field of the Whois record then that legal entity is considered the registrant of the domain name.
However, it’s common practice for organizations to have an employee register their domain name and not get the corresponding fields filled in correctly.
The employee may leave the Registrant Organization blank and would include their own name in the registrant name field which automatically turns them into the actual owner of the company’s domain.
This would allow a disgruntled employee to claim rights to the domain and attempt to transfer it away to claim ownership.
This is why organizations should make sure that their legal name is listed in the Registrant Organization field, and that a role-/department-based name is listed in the Registrant Name field.
5. Be careful about domain management roles (for organizations)
Organizations should not list website designers or any other third parties as the registrant(s) of their domain name.
If an organization decides to outsource the management of its domains to a third party it should still be listed as the registrant of the domain.
Otherwise, the third party may decide to transfer the domains away to a different registrar and deprive the organization, its customers, and business partners of use of the domain(s).
If a third party is listed as the domain’s administrative, technical or billing contact for the domain, the organization should take measures to establish a contractual relationship with the third party following a legal consultation.
According to ICANN, it is good practice to include provisions in the contract that concern the assignment of domain management tasks per the organization’s instructions, including transfer requests, domain renewals, name server records update, contact data or domain status update, etc.
Also, the organization should add provisions regarding the operational measures that the administrative and technical contacts should implement to protect their domain name(s) from DDoS attacks against the domain’s name servers or the unauthorized modification or addition of zone records, etc.
Those measures could include filing reports with the corresponding registrar or with law enforcement in the appropriate jurisdictions.
Finally, the agreement should also define the sanctions for situations in which the third party listed as administrative or technical contact violate their domain administration obligations.
What to do in the event of unauthorized domain transfer
If a domain has been transferred to a new registrar/registrant, the registrant should contact their registrar immediately.
If no actions are taken on time the given domain name may be transferred again and again, making it much harder to retrieve it.
The registrar should act in compliance with the ICANN’s Transfer Dispute Resolution Policy, which governs the transfer of domains and is designed to protect the registrant in such situations.
If the registrar is unable or unwilling to assist, then the registrant can submit an Unauthorized Transfer Complaint with ICANN, who will review the situation and assist in recovering your domain, should there be grounds for that.
Good domain management practices allow domain owners to have their online presence uninterrupted and prevent them from losing their domain names due to expiration or hijacking.
Following good practices is essential for companies, since this could help maintain a more secure business environment as well as a safer experience for their customers.
Companies are highly recommended by ICANN to periodically review their domain registrations and include domain name and overall DNS management within their risk management programs.
Here is a list of all ICANN resources that can help you learn more about good domain management practices:
- Registrant’s Benefits and Responsibilities
- Do You Have a Domain Name? Here’s What You Need to Know (Part 1)
- Do You Have a Domain Name? Here’s What You Need to Know (Part 2)
- Do You Have a Domain Name? Here’s What You Need to Know (Part 3)
- Do You Have a Domain Name? Here’s What You Need to Know (Part 4)
- Good Practices for the Registration and Administration of Domain Name Portfolios (Part I)
- Good Practices for the Registration and Administration of Domain Name Portfolios (Part II)
I am renewing my domains for 5+ years after reading this.