Are you the master of your domain?

The title of this post is meant to be taken literally, not metaphorically. Do you control your domain?

Last Friday one of our portfolio companies briefly lost control of its domain. It wasn’t the fist time we’ve seen this happen and, as you can imagine, the result could have been disastrous (in this case we were able to lock down the domain before anything nefarious happened, but people don’t steal control of your domain for anything other than doing bad things, so it was lucky that we were able to avoid a serious issue). Different registrars have different rules for transferring domains around. In this case all it apparently took was someone writing the registrar and claiming the domain was in fact theirs. We believe (but aren’t positive) that the registrar did send an email to the contact listed in our account stating that the domain was to be transferred unless action was taken by us (that the process is that simple is a matter for another post altogether). But this email either didn’t get to us or was not acted upon promptly enough to prevent the transfer. The company then jumped through hoops for several hours to get the domain first locked down (so the party who stole it from us couldn’t redirect it) and ultimately transferred back.

We rarely (really never) talk about domain security when we’re talking about other security measures that companies take to lock down their data, transact securely, etc. But clearly it’s extremely important to make sure that you have (and always maintain) control over your domain. This starts with making sure your domain is a corporate asset – meaning that it’s not in the account of a founder but in an account that is owned and controlled by the company itself. It’s also extremely important to make sure the contact information in this account is up to date. And that you pay attention to any notices that your registrar might send you (in a timely mannor).

So seriously. Make sure you are the master of your domain.

  • Great idea.  Do you have any opinion on whether people should purchase the .net and .org suffixes also?  I never do but have heard from others that it’s worthwhile. 

    • for my primary production site, I bought all three.  I see almost no traffic to .net or .org, tho, so hard to say there’s explicit value.

      You *do* get the implicit value of no squatters doing douchey stuff on a similar domain, so there’s that.

      • I agree with you .Plus you can also take those domains and have them auto forward to your main domain. 

        • i agree as well. plus the downside of not owning them seems high enough to justify the expense of maintaining them.

  • I’ve used the same registrar for almost 17 years.  He runs the ISP where I had my first dial-up account in ’94.  Tho today I use a Qwest (or whatever they hell they call themselves) ISP/sat-TV/Phone bundle, I *still* use him as my registrar.

    One of his services is reminder emails abt domain name expirations.  They are *critically* important + have saved me a few times over the years. 

    • that’s the ideal situation. and if someone came to him and said “i really own freepository and you need to transfer me the domain” your guy would call bullshit.

  • also – I hope it goes without saying, but just in case: if you have a unique name, register the mark as either a trade or service mark w/ the USPTO.  

    I loathe the USPTO for almost everything else they do, but the trademark registry is actually helpful.

  • When someone requests a transfer of your domain, they a) need a special authorization code they can only get from your registrar and b) you get an email and have to click to authorize the transfer.

    So either this startup’s registrar account was hacked and someone got the authorization code / changed the email address, or they need to change registrar’s ASAP.

    I haven’t seen any registrars not follow this procedure for at least 5+ years, but I suppose it is always possible. It was put in place due to all the problems back in the late 90s with people stealing domain names (when a simple fax on fake letterhead to Network Solutions would do the trick). 

    • we’ve had more than one company have this issue and in each case the registrar did not follow that procedure. we think that in this case they sent an email saying that the domain was going to be transferred unless we took action in a specified (and short) period of time.