Best practice guidelines from ICANN

Guidelines from ICANN on Best Practices for Safeguarding and Administering Your Domain Name

Domain Names

Acquiring a domain name entails more than just registering it and entrusting it to the registrar’s care. It signifies a lasting dedication to safeguarding it against pitfalls such as expiration, unauthorized transfers, and hijacking.

Explore the recommended best practices for effectively managing domain registrations and ensuring their security, as outlined by ICANN.

Maintain current and accurate contact details

During the process of registering a domain name, the individual or entity registering the domain (registrant) is obligated to furnish their contact particulars to the registrar. These details are subsequently made accessible through the WHOIS database, facilitating communication with registrants concerning technical, operational, or security-related matters tied to the domain.

Whether the registrant’s contact information is displayed openly or concealed in the WHOIS database due to privacy measures like active WHOIS protection or GDPR compliance, it is crucial for registrants to ensure the accuracy and currency of this information at all times.

In the absence of up-to-date contact details, registrants risk missing essential notifications about their domain names, such as notifications regarding expiration, transfers, or verification of contact updates in the WHOIS database.

Moreover, in the unfortunate event of a compromised domain, security researchers may be unable to reach out to the registrant. Similarly, potential business partners seeking to establish contact with registrants, especially in the case of companies, could face difficulties.

To address this, ICANN’s Whois Data Reminder policy mandates accredited registrars to send annual email reminders to registrants, prompting them to review and amend their contact information if necessary. Failing to heed this reminder can result in undesirable consequences, including domains being allowed to expire, potentially necessitating arduous efforts and expenses for recovery, or even rendering the domain irrecoverable.

Additionally, disregarding these reminders could lead to missed alerts about unauthorized alterations to domain registrations, inadvertently granting malicious actors access to accounts and enabling domain hijacking.

In cases where a registrant’s contact information remains outdated or they fail to respond to accuracy inquiries from their registrar, the domain in question may be subject to suspension or cancellation as outlined by ICANN’s Whois Accuracy Policy.

To avert such situations, registrants should promptly update their contact information if any changes occur, be it their name, postal address, email, phone number, and so forth.

Remember the regulations governing domain transfers

Each individual who owns a domain has the privilege to transfer it to another registrar or registrant in accordance with the guidelines laid out in ICANN’s Transfer Policy.

To proceed with this, it’s crucial to be aware of certain significant rules set by ICANN:

  1. A domain name cannot be moved to a new registrar or registrant within 60 days of a modification to the registrant or administrative contact details. Hence, it might be wise for a registrant to complete the transfer process prior to making such changes.
  2. Generally, a domain name cannot be transferred within the initial 60 days of its original registration or within 60 days of a previous transfer.
  3. The initiation of a domain transfer is permissible only by the registered name holder or the administrative contact associated with the domain. This serves to prevent unauthorized transfers of a registrant’s domain name.

This underlines the importance of maintaining accurate and updated domain contact information.

Recommended approaches for addressing a domain transfer problem

If a domain owner encounters difficulties during a transfer, they might find the following advice and recommendations helpful in identifying the underlying cause and resolving the issue.

  1. There are several scenarios in which a registrar might be unable to facilitate a domain transfer:
  • The domain name is subject to a 60-day change-of-registrant lock, as previously explained.
  • The transfer request has been initiated within 60 days of the initial registration or a previous transfer.
  • The domain is locked with the current registrar and is in a ‘Registrar Lock’ or ‘Client Transfer Prohibited’ status.
  • The domain is involved in an ongoing Uniform Domain Name Dispute Resolution Policy (UDRP), Transfer Dispute Resolution Policy (TDRP), or Uniform Rapid SuspensionRegistering a domain name involves more than just the initial registration process; it also entails a long-term commitment to safeguarding it against potential issues like expiration, unauthorized transfers, and hijacking. It’s crucial to follow best practices for managing domain registrations, as advised by ICANN (Internet Corporation for Assigned Names and Numbers). (URS) proceeding.
  • The domain is subject to a court order.
  1. Depending on the terms of the registration agreement between the domain owner and the registrar, the registrar might decline a transfer for various reasons:
  • There is a reported instance of fraud.
  • The individual initiating the transfer is not officially listed as the registrant of record.
  • The registrant has an outstanding payment for a previous registration period.

While ICANN sets the regulations for domain transfers through its policies, it does not directly oversee the transfer process. Consequently, if challenges arise during a domain transfer, it’s recommended that the domain owner reaches out to their registrar for assistance.

If the issue persists even after consulting the registrar, the domain owner has the option to submit a formal Transfer Complaint to ICANN.

Ways to Safeguard a Domain Name against Cyber Threats

To safeguard a domain name from cyber threats, whether it’s used for personal or business purposes, it’s essential to manage it with the utmost care. Here are recommended practices by ICANN to assist domain registrants in preventing unauthorized hijacking or transfers:

  1. Utilize a Separate Email Address When providing an email address for the Whois record during registration, it’s advisable for the registrant to use an email address not directly associated with the domain name itself. For example, if the domain is “example.com,” it’s best to avoid using an email like user@example.com. By maintaining a distinct email address for the Whois record, the registrant can establish ownership in cases where hijackers gain control of the domain. This email address can serve as evidence to the registrar that the registrant is the legitimate domain holder before any unauthorized modifications occurred.
  2. Establish a Strong Password Domain owners hold the responsibility of securing their domain name. Crafting a robust password for the domain name account is crucial. This password should be unique to the account and not shared with anyone, including web hosting providers or web designers.
  3. Implement a Domain Transfer Lock Applying a transfer lock to a domain name is an additional precautionary measure to deter unauthorized transfers or hijacking attempts. Different registrars have varying methods of enabling the transfer lock option. For example, our customers can personally lock or unlock domains through the Control Panel. Alternatively, some registrars may implement this on request from the registrant.
  4. Be Cautious of Inaccurate Registrant Information (for Organizations) According to ICANN’s regulations, if a legal entity’s name is listed in the Registrant Organization field of the Whois record, that entity is considered the domain registrant. However, organizations often have employees register domain names without accurately filling in the corresponding fields.

Typically, an employee might choose to leave the Registrant Organization field empty and instead use their own name in the registrant name field. This action automatically designates them as the official registrants of the company’s domain.

Such a scenario could provide an opportunity for a malicious employee to assert ownership over the domain and attempt to transfer it to another location.

To mitigate this risk, organizations should ensure that their legal name is accurately entered in the Registrant Organization field, while a role- or department-specific name is specified in the Registrant Name field.

Exercise Caution with Domain Management Roles (for Organizations)

Organizations should refrain from listing third parties such as website designers, hosting providers, or any external entities as the registrant(s) of their domain names.

Even if an organization opts to delegate domain management tasks to a third party, it is vital to maintain the organization itself as the official registrant of the domain.

Failure to do so could lead to scenarios where the third party decides to move the domains to a different registrar, depriving the organization, its customers, and business partners of domain usage.

In cases where a third party is designated as the domain’s administrative, technical, or billing contact, the organization should establish a contractual arrangement with the third party following legal consultation.

ICANN advises including contractual clauses that specify the delegation of domain management responsibilities based on the organization’s instructions. These responsibilities encompass tasks like transfer requests, domain renewals, updates to name server records, contact information, or domain status.

Furthermore, the organization should incorporate provisions outlining the operational measures that administrative and technical contacts need to adopt in order to safeguard their domain names against Distributed Denial of Service (DDoS) attacks on the domain’s name servers, or against unauthorized alterations or additions to zone records.

These measures might involve submitting reports to the appropriate registrar or law enforcement agencies in relevant jurisdictions.

Lastly, the agreement should define potential consequences in cases where the third party, listed as an administrative or technical contact, violates their obligations related to domain administration.

What steps to take when faced with an unauthorized domain transfer

If a domain has been transferred to a new registrar or registrant without authorization, the domain owner should promptly get in touch with their registrar.

Failure to take timely action could result in multiple unauthorized transfers of the domain, making its recovery more challenging.

The registrar is expected to adhere to ICANN’s Transfer Dispute Resolution Policy, which regulates domain transfers and is intended to safeguard the rights of the domain owner in such scenarios.

If the registrar is unable or unwilling to provide assistance, the domain owner has the option to file an Unauthorized Transfer Complaint with ICANN. ICANN will then review the situation and offer assistance in recovering the domain if there are valid grounds for doing so.


Adopting effective domain management practices is crucial to maintaining uninterrupted online presence and safeguarding against domain name loss due to expiration or unauthorized transfers.

For businesses, adhering to these practices can contribute to a more secure business environment and enhance the safety of their customers’ experiences.

ICANN strongly recommends that companies periodically review their domain registrations and integrate domain name and overall DNS management into their risk management strategies.