Don’t Lose Your Dot-Com: A Small-Business Guide to Preventing Domain Name Theft

Your domain name is the front door to your business. If an attacker gets into your registrar account or tricks a transfer, they can take control of your web and email presence. ICANN recommends contacting your registrar immediately and keeping documentation to prove rightful control in any recovery—so prevention and good records are critical.

The five controls that stop most domain theft

1. Harden the registrar account (MFA + strong password)
   Use a unique, strong password and turn on multi-factor authentication for your registrar login and the email addresses tied to it. Government guidance consistently emphasizes MFA as a baseline control for account compromise.

2. Use a contact email that isn’t on the domain you’re protecting
   Don’t use [email protected] as the registrant/admin contact. If your domain is compromised, the attacker can change those inboxes and block recovery. ICANN explicitly advises registering with an email address not connected to the domain.

3. Turn on “Transfer Lock” (a.k.a. clientTransferProhibited)
   Enable the registrar-level lock so the domain can’t be transferred without your approval. In EPP status terms this is the clientTransferProhibited code; ICANN documents these codes and what they mean.

4. Add Registry Lock for mission-critical domains (if your TLD supports it)
   Registry Lock adds server-level protections (e.g., serverTransferProhibited, serverUpdateProhibited, serverDeleteProhibited) that require out-of-band verification before any change. Many registries offer Registry Lock as a security service for high-value names.

5. Enable DNSSEC to prevent DNS tampering (separate but related)
   DNSSEC doesn’t stop a registrar transfer, but it does help prevent attackers from forging DNS answers if they compromise part of the path. CISA recommends DNSSEC and complementary controls for protecting public-facing DNS infrastructure.

Keep ownership durable

• Know the new transfer rules: ICANN’s policy work standardized the Transfer Authorization Code (TAC) with a registry-enforced 14-day time-to-live—reducing risk from long-lived codes. Treat TACs like passwords.

• Mind your EPP statuses: Check your domain’s RDAP/WHOIS to confirm the expected “client” (registrar) and, if applicable, “server” (registry) locks are set. ICANN’s EPP status guide explains each code.

• Keep contacts accurate: ICANN requires registrars to send renewal reminders before expiration; you’ll only get them if your contact data is correct.

• Auto-renew and calendar renewals: Expired names can enter auto-renew and redemption windows with varying rules; avoid the risk by renewing early and enabling auto-renew.

Quick setup checklist (copy/paste)

• Registrar login: unique password; MFA/hardware key enabled. CISA

• Registrant/Admin/Tech email: external to the domain (e.g., a long-lived mailbox you control). ICANN

• Domain statuses: clientTransferProhibited on; consider clientUpdateProhibited/clientDeleteProhibitedif offered. ICANN

• Registry Lock: request for core domains if your TLD supports it. itp.cdn.icann.org

• DNSSEC: enable and validate. CISA

• Renewals: enable auto-renew; verify reminder emails arrive; set an owner calendar reminder. ICANN+1

• Records: keep invoices, prior WHOIS/RDAP snapshots, and proof of use; this supports recovery if ever needed. ICANN

If you suspect hijacking

Act immediately: contact your registrar’s support and abuse channels; gather proof of prior control; and escalate via the registrar and registry if necessary. ICANN documents dispute avenues (e.g., Transfer Dispute Resolution Policy) for registrar-to-registrar transfer issues.

How CreaTech Innovations can help

We can review your domain portfolio, turn on the right locks, enable DNSSEC where supported, and document a recovery plan. We’re vendor-neutral and local to Southwest Ohio. Call (937) 556-4123 or request a consult on our site.