RANT: Who Owns Your Domain?
Yesterday, I was with the board of a regional company and we were discussing some migrations. Some of the steps needed were going to require some domain records to be updated, so I asked who had access to the company’s DNS. There were some blank stares, so I quickly did a Whois lookup on GoDaddy to identify where the domains were registered and who the contacts were that were listed.
When I saw the results, I was genuinely shocked. The business didn’t actually own their domain registration, an agency that they were working with did.
This is unacceptable.
Let’s play a little game of what if.
- What if you need to update your domain registration settings for other platforms you’re going to integrate? Do you have to pay your third-party to update something that you should own? This company actually did… and the agency was also charging them more than the domain registration actually cost every year!
- What if your business domain registration expires? We’ve seen this happen and the company has to scramble to find out who owns the account and to renew the registration before it’s registered by someone else.
- What if you have a billing dispute or legal argument with the company who is listed as your domain’s registrant?
- What if the company that is listed as your registrant goes out of business or their assets are frozen?
- What if the company that is listed as your registrant disables the email address that’s listed as the owner of your company’s domain?
That’s right… any of these issues could cause you problems! In this specific instance, my client has invested millions of dollars in their business’ brand and their domain’s authority online over the last two decades. Losing that would severely impact their business – bringing everything down from their corporate email to their online presence.
Your domain ownership should never be relinquished over to a third party… including an external IT company or agency. Just as you wouldn’t let a third-party own your retail lease or your home mortgage, your domain registration is your property!
How to Look Up Your Domain Registration With Whois
Whois is a service that all domain registration companies have where you can physically or programmatically look up ownership of a domain. Keep in mind that not all information is public. Companies can mark their ownership as private. In either case, if you look up your domain information using Whois, you should be able to tell whether it’s in a domain registration account you own (eg. GoDaddy), or if you don’t recognize the business or registrar… start tracking down who does.
Here’s a sample Whois result:
WHOIS search results Domain Name: martech.zone Registry Domain ID: 83618939503a4d7e8851edf74f2eb7d0-DONUTS Registrar WHOIS Server: whois.godaddy.com Registrar URL: http://www.godaddy.com Updated Date: 2019-05-15T19:41:47Z Creation Date: 2017-01-11T01:51:30Z Registrar Registration Expiration Date: 2022-01-11T01:51:30Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: email@example.com Registrar Abuse Contact Phone: +1.4806242505 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Registrant Organization: Highbridge Registrant State/Province: Indiana Registrant Country: US Registrant Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=martech.zone Tech Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=martech.zone Admin Email: Select Contact Domain Holder link at https://www.godaddy.com/whois/results.aspx?domain=martech.zone Name Server: NS09.DOMAINCONTROL.COM Name Server: NS10.DOMAINCONTROL.COM
If you find that the business, email address(es), or the domain registration company of the registrant is a subcontractor, agency, or IT company that you’ve hired to manage your DNS, have them immediately change the registrant business and email address back to you and make sure you OWN the domain registration account where it’s set up at.
Keep in mind, every domain registration has different contacts associated that will allow you to offer your external resources access or the ability to get notification on changes:
- Registrant – who owns the domain
- Admin – typically, a billing contact for the domain
- Tech – a technical contact who manages the domain (outside billing)
I’ve seen large companies lose their domains because they never even realized that they didn’t own them in the first place, their subcontractor did. One of my clients had to sue and go to court to get their domain back in their hands after letting an employee go. The employee bought the domains and registered them in his name, unbeknownst to the company’s owner.
I immediately crafted an email to the IT company and requested they transfer the domain to an account owned by the company’s owner. Their response wasn’t what you’d expect… they wrote directly to my client and hinted that I may be wanting to rip off the company by putting the domains in my name, something I never requested.
When I responded directly, they then told me that the reason they did it was to manage the domain at the request of the client.
Had they kept the company’s owner as registrant and added their own email address for admin and tech contact, I would approve. However, they changed the actual registrant. Not cool. If they were billing and admin contact, they could have managed the DNS and also taken care of billing and renewals. They didn’t need to change the actual registrant.
Side note: We also identified that the company was charging about 300% more than a typical domain registration renewal, to which they said that was to cover their management of the domain. And they were charging that fee 6 months earlier than the renewal deadline.
To be clear, I’m not stating this IT company had a nefarious agenda. I’m certain that getting full control of my client’s domain registration made their lives much easier. In the long run, it may have even saved some time and energy. However, it’s simply unacceptable to change the registrant email on the account.
What If You DO Want A Third-Party To Manage Your Domain?
If your domain registrar doesn’t offer enterprise features where you can add collaborators or managers to your domain
There ARE times that companies want a third party to manage their domain, so here’s a work-around. I typically have the company set up a distribution email address (eg. firstname.lastname@example.org) that they can add or remove third-party email addresses on. This is helpful in a number of ways:
- You can add and remove vendors as needed.
- Everyone on the distribution list is updated if there’s any change to the account (including password changes).
Pro tip: Don’t set up your domain owner email address with the same domain as your actual domain! If your domain registration record expires or your DNS changes, it’s going to make it impossible for you to get email notifications! Most businesses have more than one domain associated with their business… so set up an account distribution list at one of the other domains.
My Advice for Your Company’s Domain Registration
I advised my client to get a GoDaddy account, register their domain for the maximum… a decade… and then add the IT company as a manager where they could access the DNS information that they needed to. Since my client has a CFO, I recommended that they add that contact for billing and we notified her of the account to ensure the domains were paid for the long term.
The IT company will still be paid for their management of the DNS, but there’s no need to additionally pay them 3 times what the registration costs. And, there’s now no risk to the company that their domain is out of their control!
Please check your company’s domain name and ensure that the ownership is under your company’s account and control. This is something you should never relinquish control to a third party.