Domainee
Sign inGet started

Registrar lock

A status flag at the registry that blocks transfers, deletions, and certain changes. The first line of defense against domain hijacking.

Registrar lock (also called Domain Lock, Transfer Lock, or clientTransferProhibited) is a status flag at the registry that prevents anyone from transferring your domain to another registrar. It's set by the registrar, on behalf of the registrant, and is enabled by default at almost every modern registrar.

It's not a single switch. There's a family of statuses:

  • clientTransferProhibited — blocks outbound transfer.
  • clientUpdateProhibited — blocks any update to the domain record (rare).
  • clientDeleteProhibited — blocks deletion (default at most registrars).
  • clientHold — domain is in the registry but not resolving (some kind of suspension).

These are "client" statuses because the registrar sets them. There's also a "server" family (serverTransferProhibited, etc.) set by the registry, usually as part of a legal dispute or for high-value domains.

What it blocks vs allows

Locked:

  • Cannot transfer to another registrar.
  • Cannot delete the domain.
  • Cannot change registrant contact (some registrars).

Allowed:

  • Can update DNS records (nameservers, A, MX, etc.) at the DNS host. Lock is at the registry level, not the DNS hosting level.
  • Can renew.
  • Can purchase services from the same registrar.

Why it exists

Lock is the first line of defense against domain hijacking. A common attack: phisher gets your registrar credentials (or talks the registrar's support into a manual change), pulls the EPP auth code, initiates a transfer to a registrar they control. Lock breaks this attack: even with the auth code, the registry rejects the transfer request as long as lock is on.

The strongest version is Registry Lock (a separate, paid service from registries like Verisign for .com). With Registry Lock, the only way to make a change is for the registrar to fax or phone the registry with a verified PIN. Used by Google, Facebook, Microsoft, banks. Costs $50-$300/year. Worth it for high-value domains.

When to unlock

Only when you're actively transferring. Unlock, get the auth code, complete the transfer, the new registrar relocks at the target. Don't leave domains unlocked between transfers.

In a custom-domain SaaS

If your platform lets users buy domains, lock should be on by default. Surface the toggle when the user starts a transfer-out flow, but don't expose it as a top-level setting. Users have no reason to think about it day-to-day, and exposing it just creates a "I clicked it and now I've been hijacked" support case.

Want this handled for you? Start free with Domainee — 50 custom domains + 100 GB bandwidth, no card.