Guide
Domain Security: Expiry, Locks, and WHOIS Privacy
Your domain is the foundation of your email, website, and every DNS-dependent service. Losing it — through expiry, hijacking, or transfer fraud — takes everything down simultaneously. Here's how to protect it.
Your domain is the root of trust for email, your website, APIs, and every DNS record attackers probe. Lose it to expiry or hijack — you lose everything at once. This guide covers expiry, transfer lock, WHOIS exposure, auth codes, and monitoring. Vocabulary: WHOIS, domain expiry. Related reading: infrastructure failure when renewals slip.
Security teams focus on application pentests while the domain expires on a corporate card that expired. Operations owns DNS — but procurement owns the registrar. Bridge that gap with joint accountability.
The three domain security risks
Expiry — accidental non-renewal. Unauthorised transfer — attacker obtains auth code and moves the domain. WHOIS data exposure — personal contact data used for phishing or takeover prep. All three are preventable with process.
Domain expiry — the preventable disaster
Enable auto-renew. Keep a valid payment method on file. Set calendar reminders ahead of registry expiry. Monitor expiry dates — especially portfolios with acquired brands. Read domain expiry infrastructure failure and case notes from domain expiry outages.
Transfer lock — preventing hijacking
Registrar lock blocks outbound transfers without explicit unlock + auth code. Leave lock on unless you are intentionally moving registrars. Verify status in your registrar control panel after any contact change.
WHOIS privacy — protecting your data
Privacy/redaction hides personal addresses and phone numbers from public WHOIS. It reduces phishing risk against domain admins. It is not a substitute for DNS security — but it removes one reconnaissance channel.
Auth codes and transfers
Auth codes (EPP codes) prove transfer intent. Never share them in chat, tickets, or email with unverified parties. Treat them like passwords. If leaked, rotate/regenerate and re-lock the domain.
Social engineering against support desks is common: attacker pretends to be the CEO, rushes a “DNS emergency,” and tries to extract codes. Train support to use out-of-band verification and ticket workflows — never instant messaging.
Monitoring your domain health
Run periodic WHOIS checks for registrar, expiry, lock state, and nameservers. Use DomainPreflight WHOIS for a quick read on risk tier and expiry.
After mergers, verify billing contacts still route to active inboxes. After card renewals, spot-check auto-renew flags. Incident retrospectives from domain expiry outages read like avoidable tragedies — because they are.
Pair registrar hygiene with email DNS reviews: losing a domain invalidates every certificate and mail path simultaneously. No amount of SPF tuning recovers a name someone else registered.
Tool: See expiry, registrar, and risk signals before you get surprised by renewal.
Step by step
FAQ
What is the biggest risk to my domain?
Expiry — it takes down everything simultaneously and is completely preventable with auto-renew enabled.
What is domain transfer lock?
A registrar setting that prevents your domain from being transferred without your explicit authorisation. Enable it and leave it on.
What does WHOIS privacy protect?
Your personal name, address, phone, and email from being publicly visible in WHOIS lookups. Most registrars offer it free.
How do I check my domain expiry date?
Run DomainPreflight WHOIS — shows exact expiry date, registrar, and risk tier.
What is an auth code?
A code required to transfer your domain to another registrar. Keep it private — sharing it enables unauthorised transfers.