Domain Lock and Transfer Protection

Protecting Your Domain from Unauthorized Transfers

Domain lock and transfer protection are essential security features that prevent unauthorized parties from transferring your domain to another registrar without your consent.

What is Domain Lock?

Domain lock (also called transfer lock or registrar lock) is a security feature that prevents your domain from being transferred to another registrar. When enabled, any transfer requests are automatically rejected.

Types of Domain Locks

Client Transfer Prohibited (clientTransferProhibited)

  • Set by your registrar
  • Most common type of lock
  • Can be enabled/disabled through registrar account
  • Standard security feature

Server Transfer Prohibited (serverTransferProhibited)

  • Set by the registry
  • More restrictive than client lock
  • Often used during disputes or legal issues
  • Requires registry intervention to remove

Registry Lock

  • Highest level of protection
  • Available for high-value domains
  • Requires manual verification for any changes
  • Additional cost but maximum security

How Domain Transfer Works

Understanding the transfer process helps you understand what locks prevent:

  1. Domain Unlocked: Owner disables transfer lock
  2. Authorization Code: Owner obtains EPP/auth code
  3. Transfer Initiated: New registrar submits transfer request
  4. Verification: Confirmation email sent to registrant
  5. Approval: Owner approves transfer (or it auto-approves after 5 days)
  6. Completion: Domain moves to new registrar (5-7 days total)

Domain lock prevents this process at step 1.

When to Enable Domain Lock

  • Always: For domains you want to keep secure
  • After Registration: Enable immediately after registering
  • After Transfer: Re-enable after completing a legitimate transfer
  • For Critical Domains: Your primary business domains
  • High-Value Domains: Domains worth significant money

When to Disable Domain Lock

  • Transferring Registrars: Must be disabled to transfer
  • Selling Domain: Buyer may require unlock for transfer
  • Changing Management: Moving to different account

Important: Re-enable lock immediately after completing the transfer!

How to Enable/Disable Domain Lock

Through Registrar Account

  1. Log into your registrar account
  2. Navigate to domain management
  3. Select the domain
  4. Find "Transfer Lock" or "Domain Lock" setting
  5. Toggle on (enable) or off (disable)
  6. Confirm the change

Through API

Many registrars offer API access for programmatic lock management:

  • Useful for managing many domains
  • Automate security policies
  • Integrate with monitoring systems

Transfer Protection Features

Authorization Code (EPP Code)

  • Unique code required for transfers
  • Acts as additional verification
  • Should be kept secure
  • Can be regenerated if compromised

Transfer Notification

  • Email alerts when transfer is initiated
  • Allows you to approve or deny
  • Provides time to detect unauthorized attempts
  • Keep contact email current to receive

Transfer Denial

  • Explicitly reject transfer requests
  • Can be done through registrar account
  • Stops unauthorized transfers
  • Lock remains in place

Additional Transfer Security Measures

WHOIS Privacy

Hides your contact information, making it harder for attackers to:

  • Target you with social engineering
  • Send fake transfer notifications
  • Gather information for attacks

Two-Factor Authentication

Protects your registrar account from unauthorized access:

  • Prevents credential-based attacks
  • Adds layer beyond password
  • Use authentication apps when possible

Account Alerts

Enable notifications for:

  • Lock status changes
  • Transfer attempts
  • Contact information changes
  • Authorization code requests

Common Transfer Attack Methods

Social Engineering

  • Impersonating domain owner
  • Tricking support staff
  • Fake documentation

Email Compromise

  • Hacking registrant email
  • Intercepting transfer confirmations
  • Approving transfers without owner knowledge

Registrar Vulnerabilities

  • Exploiting weak security
  • Insider threats
  • Process manipulation

What to Do If Transfer Lock Fails

If your domain is transferred without authorization:

  1. Contact your registrar immediately
  2. File a transfer dispute
  3. Gather evidence of ownership
  4. Contact the new registrar
  5. Consider legal action
  6. Report to ICANN if necessary

Best Practices Summary

  • �?Keep domain lock enabled at all times
  • �?Only disable when actively transferring
  • �?Re-enable immediately after transfer completes
  • �?Use strong authentication on registrar account
  • �?Keep contact information current
  • �?Monitor for transfer notifications
  • �?Protect your authorization codes
  • �?Consider registry lock for critical domains
← Previous: Domain Security Basics Next: Understanding DNSSEC →