Domain Privacy & Security

WHOIS privacy protection (also called domain privacy or proxy registration) replaces your personal contact details in the public WHOIS database with the registrar's or a proxy service's information. This prevents your name, email, address, and phone number from being publicly visible to spammers, scammers, and data harvesters. Most registrars now offer this free of charge following GDPR adoption.

Domain hijacking occurs when an attacker gains unauthorized control of your domain by compromising your registrar account or exploiting weaknesses in the transfer process. To protect yourself, use a strong unique password and two-factor authentication on your registrar account, enable registrar lock (also called transfer lock), and keep your contact email secure so you receive domain-related alerts.

Registrar lock (also called transfer lock or EPP status 'clientTransferProhibited') prevents your domain from being transferred to another registrar without your explicit action to unlock it first. It is strongly recommended to keep this enabled at all times unless you are actively initiating a transfer. Most registrars enable this by default.

Two-factor authentication (2FA) adds a second verification step — such as a code from an authenticator app or SMS — beyond your password when logging into your registrar account. Because domains are high-value targets, enabling 2FA is one of the most effective ways to prevent unauthorized access even if your password is compromised. Use an authenticator app rather than SMS where possible for stronger security.

SSL/TLS (Secure Sockets Layer / Transport Layer Security) is a protocol that encrypts traffic between a visitor's browser and your web server, shown as 'https://' and a padlock icon. It is essential for all websites today — browsers mark http:// sites as 'Not Secure', and search engines favor HTTPS in rankings. Free certificates are available from Let's Encrypt and are often provided automatically by hosting platforms.

The EU General Data Protection Regulation (GDPR), which took effect in May 2018, requires that personal data be collected and processed lawfully and transparently. Because the public WHOIS database exposed registrant names, email addresses, phone numbers, and postal addresses, it conflicted directly with GDPR requirements. As a result, most registrars now redact personal contact data from public WHOIS by default, replacing it with anonymized or proxy information. ICANN's RDAP system is gradually introducing tiered access so legitimate parties can still request registrant data.

Lookalike domain fraud involves registering domain names that closely resemble legitimate brands — for example, 'paypa1.com' (with the digit 1 replacing the letter l) or 'amazon-support.net' — to deceive users into entering credentials or payment details. Attackers use these domains for phishing emails, fake login pages, and fraudulent customer support sites. Brands can monitor for lookalike registrations through services like DomainTools or Passive DNS, and can file UDRP complaints or abuse reports to shut them down.

Typosquatting is a form of cybersquatting where an attacker registers domains that are common misspellings or typographical errors of popular brand names — such as 'gooogle.com' or 'amazom.com'. Users who accidentally type the wrong URL may land on sites serving ads, malware, or phishing pages. Brands defend against typosquatting by registering the most likely typo variants themselves, and by filing UDRP complaints against malicious typosquatters.

Domain slamming is a deceptive practice where a company sends a domain owner an official-looking notice — often disguised as a renewal invoice or expiry warning — to trick them into transferring their domain to a different (usually more expensive) registrar without realizing it. The notice is typically mailed or emailed shortly after registration when WHOIS data is still public. Always verify any domain-related invoice through your registrar's official website or control panel before taking action.

DNS cache poisoning (also called DNS spoofing) is an attack where a malicious resolver injects false DNS records into a caching resolver's cache, redirecting users to attacker-controlled servers. The primary defense is DNSSEC, which cryptographically signs DNS records so resolvers can detect tampered responses. Using a trusted, DNSSEC-validating resolver (such as Cloudflare 1.1.1.1 or Google 8.8.8.8), and enabling DNSSEC on your own domain, significantly reduces the risk.

A domain takedown is the process of suspending or removing a domain from the DNS — making it unreachable — because it is being used for malicious purposes such as phishing, malware distribution, or spam. Takedowns are carried out by registrars, registries, or law enforcement following abuse reports, court orders, or ICANN enforcement actions. A suspended domain typically shows an NXDOMAIN (non-existent) response or is redirected to a sinkhole server for forensic analysis.

RDAP (Registration Data Access Protocol) is the modern, standardized replacement for the legacy WHOIS protocol. Unlike WHOIS, which returns unstructured plain text over port 43, RDAP delivers structured JSON responses over HTTPS, making it machine-readable and easier to parse programmatically. RDAP also supports tiered access — different levels of data are returned based on who is querying — which is essential for GDPR compliance. ICANN mandated that all gTLD registries support RDAP.

EPP (Extensible Provisioning Protocol) status codes are labels applied to a domain by the registry or registrar that describe what operations are currently allowed or prohibited. Common codes include 'clientTransferProhibited' (transfer lock enabled by registrar), 'clientDeleteProhibited' (deletion locked), 'serverHold' (domain suspended by registry), and 'pendingTransfer' (transfer in progress). You can view a domain's current EPP status via WHOIS or RDAP lookup.

Both serverHold and clientHold are EPP status codes that suspend a domain's DNS resolution, making the domain unreachable. The difference is who applied the hold: clientHold is set by the registrar (for example, when payment fails or an account is suspended), while serverHold is set by the registry (for example, due to an ICANN enforcement action, abuse complaint, or legal dispute). Removing serverHold typically requires contact with the registry and resolution of the underlying issue.

SPF (Sender Policy Framework) is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of your domain. To set one up, add a TXT record to your domain's DNS: 'v=spf1 include:_spf.google.com ~all' (adjust for your mail provider). The '~all' qualifier means emails from unauthorized servers are soft-failed, while '-all' causes hard rejection. SPF alone is not sufficient — combine it with DKIM and DMARC for full email authentication coverage.

DKIM (DomainKeys Identified Mail) is an email authentication method that uses public-key cryptography to sign outgoing messages. Your email server attaches a digital signature to each message using a private key, and the corresponding public key is published in a DNS TXT record (e.g., 'selector._domainkey.example.com'). Receiving mail servers verify the signature against the public key to confirm the message was not altered in transit and genuinely originates from your domain. DKIM is required for effective DMARC enforcement.

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email policy protocol that builds on SPF and DKIM. It tells receiving mail servers what to do when a message fails authentication checks — options are 'none' (monitor), 'quarantine' (send to spam), or 'reject' (block entirely). DMARC also enables aggregate and forensic reporting so domain owners can see who is sending email on their behalf. Without DMARC, attackers can freely spoof your domain in phishing emails even if SPF and DKIM are configured.

A wildcard SSL certificate secures a domain and all of its first-level subdomains with a single certificate — for example, a certificate for '*.example.com' covers www.example.com, shop.example.com, and api.example.com, but not sub.sub.example.com. Wildcard certificates simplify certificate management for organizations with many subdomains and are available as DV (domain validated) or OV (organization validated). They are not available as EV certificates.

HSTS (HTTP Strict Transport Security) is a web security policy mechanism that instructs browsers to only communicate with a site over HTTPS, even if the user types 'http://' or clicks an HTTP link. The policy is delivered via a response header ('Strict-Transport-Security') and can be preloaded into browsers through the HSTS preload list — making HTTPS mandatory for your domain before a user ever visits. HSTS protects against SSL-stripping attacks and requires a valid SSL certificate to function correctly.

Signs that your domain may have been compromised include unexpected changes to DNS records (check your DNS settings and run a WHOIS lookup), SSL certificate alerts from Certificate Transparency logs, login notifications from an unfamiliar location, email bounce-backs suggesting your MX records changed, or your site being flagged by Google Safe Browsing. Monitor your domain proactively by setting up DNS change alerts through your DNS provider, subscribing to CT log monitoring services like crt.sh, and enabling account activity notifications at your registrar.

Certificate Transparency (CT) is an open framework that requires certificate authorities to publish every SSL/TLS certificate they issue to publicly auditable logs. This allows domain owners, security researchers, and browsers to detect certificates issued without the domain owner's knowledge — such as those created through a compromised CA or domain hijack. Tools like crt.sh let you search CT logs for all certificates ever issued for your domain, giving you early warning of unauthorized issuance.

Domain abuse complaints are formal reports submitted to registrars or registries alleging that a domain is being used for malicious purposes — such as phishing, malware distribution, spam, or illegal content. Registrars are required by ICANN to provide an abuse contact and to investigate credible complaints. Depending on the severity, the registrar may suspend the domain, update DNS records, or report the case to law enforcement. You can submit abuse reports through the registrar's website or via ICANN's complaint portal.

A domain blocklist (also called a blacklist or DNS blocklist) is a database of domain names or IP addresses identified as sources of spam, phishing, malware, or other abuse. Mail servers check these lists (such as Spamhaus DBL or SURBL) to decide whether to reject or quarantine messages. If your domain is blocklisted, email delivery will be severely affected. You can check your domain's status using tools like MXToolbox and request delisting once the underlying abuse issue is resolved.

Recovering a stolen domain requires acting quickly. First, contact your registrar's support team immediately — most registrars have emergency procedures for hijacking incidents and can place an emergency hold to prevent further transfers. Gather evidence of your ownership (registration confirmations, payment receipts, historical WHOIS data). If the domain was already transferred, file a UDRP complaint or contact the gaining registrar directly. In cases involving fraud or a US-based attacker, you can also seek assistance from law enforcement under the ACPA.

SSL/TLS certificates come in three validation levels. Domain Validation (DV) certificates verify only that the applicant controls the domain — they are fast to obtain (minutes) and inexpensive, but provide no information about the organization behind the site. Organization Validation (OV) certificates additionally verify the organization's legal identity. Extended Validation (EV) certificates require the most rigorous vetting and formerly showed a green address bar in browsers, though modern browsers have de-emphasized EV visual indicators. For most websites, DV certificates from Let's Encrypt are sufficient.