MoveMyDomains Guides

How Do You Secure a Domain? Transfer Locks, DNSSEC, and Expiry Protection

Domain security for a business comes down to five switches: the transfer lock (blocks unauthorized moves), DNSSEC (blocks forged DNS answers), WHOIS privacy (keeps your contact details out of scraper databases), 2FA on the registrar account (protects the control panel everything else depends on), and expiry protection (auto-renew plus a monitored payment method). Most businesses have two of the five turned on and don't know which two.

Your domain is the one asset your entire online business hangs from — website, email, every login verification that flows through that email. Yet it's usually the least protected thing a company owns, because it was set up once, years ago, by whoever was around. Here's what each protection actually does, in plain terms, and the honest priority order.

What does a transfer lock do?

The transfer lock (you'll see it as "registrar lock" or the status clientTransferProhibited) tells the registry to refuse transfer requests for your domain until you explicitly unlock it in your registrar account. It's the deadbolt: a thief who somehow obtained your auth code still can't move the domain while the lock is on.

It should be on for every domain you own, every day you're not actively transferring it. The only time it comes off is deliberately, briefly, during a move you initiated — which is exactly how the no-downtime transfer process handles it. For high-value domains, some registrars and registries also offer a stronger registry lock, where changes require out-of-band verification; if one domain carries your whole business, ask about it.

What does DNSSEC actually protect against?

DNS was designed in an era of trust: when a resolver asks where your domain points, it believes whatever answer arrives. DNSSEC adds cryptographic signatures to your DNS records so resolvers can verify the answer actually came from your zone and wasn't forged in transit — closing off cache-poisoning attacks that can silently redirect your visitors or mail to an attacker's server.

The historical objection was operational: key management was fiddly, and some registrars charged for it or didn't support it. That objection is dead at modern providers — Cloudflare includes DNSSEC free and enables it in one click. If your current registrar makes DNSSEC hard or paid, that's data about the registrar.

Do you still need WHOIS privacy?

Yes, but for a mundane reason: spam and social engineering, not anonymity. Public registration records get scraped industrially, and exposed registrant emails become targets for fake renewal notices — invoices from companies you've never used, hoping you'll pay reflexively or click through and hand over credentials. Privacy protection masks your details in the public record without affecting your ownership one bit.

The pricing history matters here: privacy has often been sold as a paid add-on at retail registrars, at several dollars per domain per year. At-cost providers include it free — one more line in the real cost of staying put.

Why is the registrar account itself the real target?

Because every other protection is a setting inside it. Whoever logs into your registrar account can unlock, transfer, or repoint every domain you own. Real-world domain theft overwhelmingly starts here — a phished password, a reused credential from some breached service, or a compromised email inbox that can approve password resets. So:

How do domains actually get lost? (Hint: nobody hacks anything)

The most common domain disaster isn't theft. It's expiry. A card expires, the renewal notice goes to a dead inbox, and thirty-odd days later a brand domain is on the open market. The lifecycle after a missed renewal runs roughly: a grace period (renew at normal price), then redemption (recovery typically costs a substantial extra fee, often well over $100), then the domain drops — and valuable-looking drops get caught by automated backorder services within seconds, not days. Buying your own name back from a drop-catcher is a negotiation you do not want to have.

Expiry protection is boring and absolute: auto-renew on everything you'd mind losing, a payment method someone actually monitors plus a backup, registrant email on infrastructure that outlives any employee, and a calendar check once a year against your inventory sheet.

FAQ

What happens if my domain expires?

Resolution stops — site and email die — and the domain enters a grace period where you can usually renew at the normal price. After that comes redemption, where recovery typically costs a substantial extra fee, and then the domain is released for anyone to register. Brand domains get watched by drop-catchers, so a lapse can become a ransom situation.

Can someone actually steal my domain?

Domain hijacking is real but almost always starts with account compromise — a phished password or a hijacked email inbox — rather than an attack on the domain system itself. Strong unique credentials, 2FA, and an active transfer lock close the paths that matter for most businesses.

Is DNSSEC worth turning on?

Yes, if your provider makes it a toggle rather than a manual key-management project. DNSSEC cryptographically signs your DNS answers so resolvers can detect forged responses. At Cloudflare it's included free and enabled with one click; there's no meaningful reason to leave it off.

Does WHOIS privacy affect my ownership of the domain?

No. WHOIS privacy masks your contact details in the public record; the underlying registrant data on file is still you, and your registrar account still controls the domain. Some registrars have charged extra for privacy; at-cost providers like Cloudflare include it free.

All five switches, one destination

Move to Cloudflare and transfer locks, free DNSSEC, and free WHOIS privacy come standard — at wholesale renewal prices. The free Migration Kit automates the entire move from GoDaddy.

Get the Free Migration Kit