Understanding Domain Status Codes: What EPP Status Codes Mean

Every domain name carries a set of EPP (Extensible Provisioning Protocol) status codes that determine what actions can and cannot be performed on it — whether it can be transferred, updated, deleted, or renewed. For domain investors, reading status codes provides critical intelligence about domains you want to acquire and essential security verification for domains you own.

Client-Side Status Codes

Client-side codes are set by the registrar (the “client” in the registrar-registry relationship). You or your registrar can modify these.

ok: The default status when no other locks or restrictions are in place. A domain with only “ok” status can be transferred, updated, and deleted. If you see this on a domain you own, consider enabling a transfer lock.

clientTransferProhibited: The most important status code for domain investors. This registrar lock prevents the domain from being transferred to another registrar, even if someone obtains the EPP authorization code. Every domain in your portfolio should have this enabled. Namecheap, Porkbun, Dynadot, and Cloudflare enable this by default on new registrations.

clientUpdateProhibited: Prevents changes to the domain’s WHOIS/RDAP registrant information. This stops an attacker who gains registrar access from changing the owner name and email to initiate a transfer.

clientDeleteProhibited: Prevents the registrar from deleting the domain registration. Useful for premium domains where accidental deletion would be catastrophic.

clientHold: Removes the domain from DNS, making it unresolvable. Registrars sometimes apply this during disputes or when payment issues arise. If you see this on a domain you own, contact your registrar immediately.

Server-Side Status Codes

Server-side codes are set by the registry (Verisign for .com, for example). Only the registry can modify these, making them a stronger layer of protection.

serverTransferProhibited: The registry-level equivalent of the registrar transfer lock. Applied through registry lock services, this requires manual authorization from the registry itself to remove. Even if an attacker compromises your registrar account and removes the client-side lock, the server-side lock prevents transfer.

serverUpdateProhibited: The registry prevents any changes to the domain record until the server-side lock is manually removed. Combined with serverTransferProhibited, this is the highest security level available for domain names.

serverDeleteProhibited: The registry prevents domain deletion. Part of the premium registry lock package.

serverHold: Applied by the registry, typically during legal disputes, UDRP proceedings, or law enforcement requests. This removes the domain from DNS at the registry level and overrides any client-side DNS configuration.

Status Codes During the Domain Lifecycle

Different status codes appear at different stages of a domain’s life.

Active domain: Typically shows ok or clientTransferProhibited (if the registrar lock is enabled). Premium domains with registry lock also show serverTransferProhibited and serverUpdateProhibited.

Recently registered: May show addPeriod during the 5-day add grace period (during which the registrar can delete the domain for a refund if it was registered by mistake).

Recently transferred: Shows transferPeriod for a brief window after completion. ICANN’s 60-day transfer lock then applies, which is enforced by the registrar refusing to provide a new EPP code rather than through a status code.

Expired domain: Shows redemptionPeriod after the registrar’s grace period ends. During the 30-day redemption period, only the original registrant can restore the domain (typically at a fee of $80-$200). After redemption, the domain enters pendingDelete for 5 days before dropping to general availability.

Using Status Codes for Acquisition Research

When evaluating a domain for potential purchase, check its status codes through an RDAP lookup at lookup.icann.org.

A domain showing only ok status with no transfer locks may belong to a casual registrant who is not actively managing it. This can indicate a potential acquisition opportunity at a reasonable price.

A domain with both client and server transfer locks belongs to an owner who takes security seriously — likely an experienced investor or a business with brand protection awareness. Expect higher price expectations and more sophisticated negotiation.

A domain in redemptionPeriod is one that the current owner has let expire and not renewed during the grace period. If the owner does not restore it within 30 days, it will enter pendingDelete and become available for registration or backordering. This is a key signal for domain investors monitoring specific names.

For more on how locks protect your portfolio, see domain locking strategies. To understand the full expiration process, read domain expiration lifecycle.