Technical

Domain Locking Strategies: Transfer Lock, Registrar Lock, and Registry Lock

By Corg Published · Updated

Domain Locking Strategies: Transfer Lock, Registrar Lock, and Registry Lock

Domain locks prevent unauthorized transfers, modifications, and deletions. For domain investors whose portfolio value depends entirely on maintaining registrations, understanding and implementing the right lock level for each domain is essential security hygiene. The three lock levels — ICANN transfer lock, registrar lock, and registry lock — provide progressively stronger protection.

ICANN 60-Day Transfer Lock

The weakest but most universal lock is ICANN’s mandatory 60-day transfer prohibition after new registration, inter-registrar transfer, or registrant (owner) change. During this window, the domain cannot be transferred to a different registrar regardless of other lock settings.

This lock is automatic and cannot be removed. It protects against rapid-fire transfer chains that could be used to obscure domain theft — by the time the lock expires, the legitimate owner has time to discover and report unauthorized changes.

For investors, the 60-day lock mainly affects flipping timelines. A domain acquired through inter-registrar transfer cannot be resold via inter-registrar transfer for 60 days. Push transfers within the same registrar are exempt.

Registrar Lock (Client-Side)

Registrar lock, represented by the EPP status code ClientTransferProhibited, is the standard protection that should be enabled on every domain you own. This lock prevents transfer even if someone obtains the EPP authorization code.

Enabling registrar lock at major registrars: Namecheap enables it by default on all registrations and provides a toggle in the domain management panel. Cloudflare enables it by default with no option to disable through the web interface (you must use the API). Porkbun enables it by default with a simple toggle. Dynadot enables it by default with a toggle in domain settings. GoDaddy enables it by default but disabling it is a common step in their transfer process.

Additional client-side locks include ClientUpdateProhibited (prevents changes to registrant WHOIS data) and ClientDeleteProhibited (prevents domain deletion). These are available at some registrars but not universally offered or enabled by default.

Registry Lock (Server-Side)

Registry lock is the strongest protection available for domain names. Represented by ServerTransferProhibited and ServerUpdateProhibited status codes, registry lock is set at the registry level (Verisign for .com) and can only be removed through a manual, multi-step verification process between the registrar and the registry.

The registry lock removal process typically requires the registrar to submit a formal request to the registry, the registry contacts a designated security contact (not the standard account contact) for verification, the verification may involve phone calls, secret phrases, or multi-party authorization, and the process takes 24-72 hours — deliberately slow to prevent social engineering.

This deliberate friction is the point. An attacker who compromises your registrar account can remove registrar lock in seconds. Removing registry lock requires compromising a separate verification channel that the attacker likely does not know exists.

When to Use Each Lock Level

All domains: Registrar lock (ClientTransferProhibited) enabled. This is the baseline.

Domains valued at $5,000-$10,000: Add ClientUpdateProhibited and ClientDeleteProhibited if your registrar supports them.

Domains valued above $10,000: Registry lock. The cost is approximately $75/year per domain at Namecheap, with similar pricing at other registrars offering the service. On a $50,000 domain, the $75 annual cost represents 0.15% of the domain’s value — trivial insurance.

Domains valued above $100,000: Registry lock plus dedicated registrar account with hardware security key 2FA, dedicated email address, and no other domains in the account that could be used as social engineering vectors.

Lock Verification

Regularly verify that your domains maintain their expected lock status. Perform an RDAP lookup at lookup.icann.org for each premium domain and confirm the expected status codes are present. If ClientTransferProhibited or ServerTransferProhibited has been removed without your action, investigate immediately — it may indicate unauthorized access to your registrar account.

Quarterly lock audits across your portfolio take minutes and prevent the scenario where a lock was inadvertently removed during a DNS change or registrar support interaction months ago, leaving the domain exposed.

For more on protecting your domains, see domain registrar security guide. To understand EPP status codes, read understanding domain status codes.

More in Technical

Domain Portfolio Backup Strategy: Disaster Recovery for Investors Domain Load Testing and Scalability: Preparing for Traffic Spikes Domain Redemption Period Explained: Recovering Accidentally Expired Domains Domain Migration and Redesign Planning: Moving Content Without Losing Value

View all Technical articles →