Understanding Registrar Lock and Transfer Lock (2025 Guide)

Quick Answer

Table of Contents

What is Registrar Lock?

Registrar lock is a security setting that prevents your domain from being transferred away from your current registrar without your explicit permission. It's also known by several other names:

• Transfer lock
• Domain lock
• Client transfer lock
• Registrar transfer lock

All these terms refer to the same protection mechanism.

Why It Exists

Domain transfers are a normal part of domain management—you might want to switch registrars for better pricing, features, or service. However, this legitimate functionality creates a vulnerability: if someone gains unauthorized access to your registrar account, they could initiate a transfer to steal your domain.

Registrar lock solves this problem by adding a manual step that you must complete before any transfer can proceed.

What It Protects Against

Domain lock prevents:

• Unauthorized transfers initiated by hackers who compromised your account
• Social engineering attacks where attackers trick support staff
• Account takeover scenarios where credentials are stolen
• Accidental transfers triggered by mistake or confusion
• Malicious transfers by disgruntled employees or contractors

What It Does NOT Prevent

Domain lock does NOT protect against:

• Changes to DNS settings within your current registrar
• Domain expiration (you still must renew)
• Changes to WHOIS contact information
• Changes to nameservers at the same registrar
• Legal actions or ICANN dispute resolutions

For these scenarios, you need additional security measures like two-factor authentication and registry lock.

How Domain Lock Works

Understanding the technical mechanism helps you appreciate why it's so effective:

The Transfer Process (Without Lock)

Normal domain transfer workflow:

1. You request transfer at new registrar
2. You provide authorization (EPP) code
3. New registrar sends transfer request to current registrar
4. Current registrar sends confirmation email
5. If you approve (or don't respond in 5 days), transfer proceeds
6. Domain moves to new registrar

Vulnerability: If someone has your account credentials, they can complete steps 1-5 themselves.

The Transfer Process (With Lock Enabled)

When registrar lock is active:

1. Attacker requests transfer at new registrar
2. Attacker provides authorization code
3. New registrar sends transfer request to current registrar
4. Current registrar checks EPP status
5. Status shows "clientTransferProhibited"
6. Transfer request is immediately rejected
7. Domain stays with current registrar

Protection: The transfer never even gets to the email confirmation stage—it's blocked at the protocol level.

Technical Implementation

Registrar lock works through the EPP (Extensible Provisioning Protocol), the standard communication protocol between registrars and registries.

When you enable domain lock, your registrar:

1. Sends an EPP command to the registry
2. Registry adds "clientTransferProhibited" to domain's status
3. Status is stored at registry level (not just registrar)
4. All registrars can see this status
5. EPP protocol requires all registrars to reject transfers for locked domains

This means the lock is protocol-enforced, not just a registrar preference—all ICANN-accredited registrars must honor it.

Client vs Server Lock Status

There are two types of transfer locks you might encounter:

Client Status (Registrar-Level Lock)

Status code: clientTransferProhibited

Set by: Your domain registrar

What it means: Your registrar has locked the domain to prevent transfers

Control: You can request unlock through your registrar account (usually instant or within minutes)

Common scenarios:

• Default security setting at most registrars
• Protection you enable manually
• Automatic lock during certain operations

How to unlock: Log in to registrar account → Domain settings → Unlock/Disable transfer lock

Server Status (Registry-Level Lock)

Status code: serverTransferProhibited

Set by: The domain registry (higher authority than registrar)

What it means: The registry itself has locked the domain—much stronger protection

Control: Requires formal request to registry through your registrar (can take 24-48 hours or longer)

Common scenarios:

• Premium/valuable domains
• Enterprise registry lock service
• Domains under dispute
• Registry-level holds for policy violations

How to unlock: Contact registrar → Submit unlock request to registry → Wait for registry approval → Usually requires verification

Which One Should You Use?

For most users: clientTransferProhibited (standard registrar lock) is sufficient and should be enabled on all domains.

For high-value domains: Consider adding serverTransferProhibited (registry lock) for maximum protection. This service typically costs $100-$1,000/year per domain but provides ultimate security for domains worth $100,000+.

EPP Status Codes Explained

When you check your domain's WHOIS information, you'll see EPP status codes. Here are the most important ones related to domain locking:

Transfer-Related Statuses

clientTransferProhibited

• Meaning: Transfers are blocked by registrar
• Impact: Cannot transfer to another registrar
• Good or bad: GOOD—this protects your domain
• Action needed: None, unless you want to transfer

serverTransferProhibited

• Meaning: Transfers are blocked by registry
• Impact: Cannot transfer without registry approval
• Good or bad: GOOD—maximum transfer protection
• Action needed: None, unless you want to transfer (requires registry unlock)

Update-Related Statuses

clientUpdateProhibited

• Meaning: Domain information cannot be updated
• Impact: Cannot change nameservers, contacts, or other settings
• Good or bad: MIXED—strong protection but limits flexibility
• Action needed: Unlock before making legitimate changes

serverUpdateProhibited

• Meaning: Registry blocks all updates
• Impact: No changes possible without registry approval
• Good or bad: MIXED—part of registry lock service
• Action needed: Contact registrar to request registry unlock

Delete-Related Statuses

clientDeleteProhibited

• Meaning: Domain cannot be deleted
• Impact: Protects against accidental or malicious deletion
• Good or bad: GOOD—additional protection
• Action needed: None for normal operations

serverDeleteProhibited

• Meaning: Registry prevents deletion
• Impact: Domain cannot be removed from registry
• Good or bad: GOOD—registry-level deletion protection
• Action needed: None for normal operations

Other Important Statuses

clientHold

• Meaning: Registrar has placed domain on hold
• Impact: Domain doesn't resolve (website/email offline)
• Good or bad: BAD—usually means billing issue or violation
• Action needed: Contact registrar immediately to resolve

serverHold

• Meaning: Registry has placed domain on hold
• Impact: Domain doesn't resolve
• Good or bad: BAD—serious policy violation or legal issue
• Action needed: Contact registrar to understand reason

pendingTransfer

• Meaning: Transfer is currently in progress
• Impact: Domain is moving to another registrar
• Good or bad: NEUTRAL—expected during legitimate transfers
• Action needed: None if you initiated it; cancel if unauthorized

redemptionPeriod

• Meaning: Domain expired and is in redemption
• Impact: Website offline; expensive to recover
• Good or bad: BAD—you missed renewal
• Action needed: Pay redemption fee immediately (typically $100-200)

How to Check Your Domain's Status

Method 1: WHOIS lookup

whois yourdomain.com

Look for "Domain Status:" or "Status:" field

Method 2: ICANN WHOIS lookup Visit: https://lookup.icann.org/en/lookup Enter your domain name View status codes in results

Method 3: Registrar control panel Most registrars show status in domain management interface

Interpreting results:

Good security configuration shows:

Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited (optional)
Domain Status: clientDeleteProhibited (optional)

Maximum security configuration shows:

Domain Status: clientTransferProhibited
Domain Status: serverTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status: serverUpdateProhibited
Domain Status: clientDeleteProhibited
Domain Status: serverDeleteProhibited

Benefits of Domain Locking

1. Prevents Unauthorized Transfers

The primary benefit: Even if attackers compromise your account password, they cannot transfer your domain without first unlocking it.

This adds a critical delay where you can:

• Receive alerts about unlock attempts
• Regain control of your account
• Contact registrar support
• Stop the attack before domain is stolen

2. Protection Against Social Engineering

Attackers sometimes call registrar support pretending to be you:

• "I lost my email access, please help me transfer"
• "I'm traveling and need emergency access"
• "I'm the new IT manager, transfer domains to our account"

Even if support is fooled, the lock prevents immediate transfer—requiring additional verification steps.

3. Prevents Accidental Transfers

Domain lock also protects against:

• Employee mistakes (initiating transfer by accident)
• Clicking wrong buttons in control panel
• Confusion about which domains to transfer
• Misunderstanding transfer processes

4. Compliance and Audit Trail

For businesses:

• Demonstrates due diligence in protecting assets
• Creates audit trail of lock/unlock actions
• Supports compliance with security standards
• Documents security controls for insurance

5. Peace of Mind

Knowing your domains are locked lets you:

• Sleep better at night
• Focus on business instead of security threats
• Reduce monitoring frequency
• Lower risk of catastrophic loss

How to Enable Domain Lock

Most registrars enable domain lock by default, but here's how to verify and enable it manually:

Namecheap

1. Log in to Namecheap account
2. Go to Domain List
3. Click "Manage" next to domain
4. Navigate to "Sharing & Transfer" section
5. Find "Transfer Lock" toggle
6. Ensure it's set to "Locked"

Default: Usually locked by default

GoDaddy

1. Sign in to GoDaddy account
2. Navigate to Domain Portfolio
3. Select the domain
4. Click "Additional Settings"
5. Find "Domain Lock"
6. Toggle to "On"

Default: Locked by default on new registrations

Cloudflare

1. Log in to Cloudflare dashboard
2. Go to Domain Registration
3. Select your domain
4. Navigate to Configuration
5. Enable "Lock domain"

Default: Locked by default

Google Domains (now Squarespace)

1. Sign in to domains.google.com
2. Select your domain
3. Click "Registration settings"
4. Find "Transfer lock"
5. Ensure it's enabled

Default: Locked by default

Porkbun

1. Log in to Porkbun account
2. Go to Domain Management
3. Select domain
4. Navigate to "Authorization Code" section
5. Enable "Transfer Lock"

Default: Check manually; varies

General Steps for Any Registrar

If your registrar isn't listed:

1. Log in to your account
2. Find domain management section
3. Look for settings like:
   • Domain Lock
   • Transfer Lock
   • Registrar Lock
   • Security Settings
   • Transfer Settings
4. Enable the lock/protection
5. Verify EPP status shows clientTransferProhibited

Confirmation: You should receive email confirmation when lock status changes.

When You Need to Unlock Your Domain

You must unlock your domain temporarily for:

1. Transferring to Another Registrar

Why: Transfer lock specifically prevents this—you must unlock first

Process:

1. Unlock domain at current registrar
2. Obtain authorization (EPP) code
3. Initiate transfer at new registrar
4. Approve transfer when requested
5. New registrar automatically re-locks domain (usually)

Timing: Unlock just before starting transfer; don't leave unlocked unnecessarily

2. Changing Registrant Information (Sometimes)

Why: Some registrars require unlock for ownership changes

Process:

1. Check if registrar requires unlock for this operation
2. If yes, temporarily unlock
3. Update registrant information
4. Re-enable lock immediately

Note: ICANN's 2025 policy update reduced the automatic 60-day transfer lock after registrant changes to 30 days (720 hours), making this less disruptive.

3. Deleting the Domain (Rare)

Why: Delete prohibition prevents deletion

Process:

1. Unlock domain
2. Remove delete prohibition if enabled
3. Process deletion
4. Confirm deletion

Warning: Domain deletion is usually permanent and irreversible—ensure you truly want to delete.

You Do NOT Need to Unlock For:

• ✅ Changing nameservers at the same registrar
• ✅ Updating DNS records
• ✅ Modifying WHOIS contact information (usually)
• ✅ Renewing your domain
• ✅ Adding WHOIS privacy
• ✅ Setting up email or websites

How to Unlock a Domain for Transfer

Step-by-step process for safely unlocking:

Before You Unlock

Verification checklist:

• ✅ Are you absolutely certain you want to transfer?
• ✅ Have you researched the new registrar?
• ✅ Do you understand the transfer process?
• ✅ Is this domain critical to your business?
• ✅ Have you backed up all DNS settings?

Security reminder: Only unlock when you're ready to immediately begin the transfer. Don't leave domains unlocked "just in case."

Unlocking Process

Step 1: Log in securely

• Use secure, trusted network (not public WiFi)
• Verify you're on correct registrar website (check URL)
• Use two-factor authentication

Step 2: Navigate to domain settings

• Find domain management section
• Select specific domain to unlock
• Locate lock/transfer settings

Step 3: Disable transfer lock

• Click "Unlock" or "Disable Transfer Lock"
• Confirm the action
• Note the unlock timestamp

Step 4: Obtain authorization code

• Request EPP/authorization code
• Code typically sent to admin email
• Save code securely (you'll need it for transfer)

Step 5: Verify unlock status

• Check domain status shows transfer is now allowed
• WHOIS should no longer show clientTransferProhibited
• May take 15-60 minutes to propagate

Step 6: Initiate transfer quickly

• Don't delay after unlocking
• Begin transfer process at new registrar
• Provide authorization code when prompted

Step 7: Monitor transfer progress

• Watch for transfer approval emails
• Respond promptly to any verification requests
• Confirm transfer completes successfully

Step 8: Verify re-lock at new registrar

• Once transfer completes, check new registrar
• Ensure domain is locked again
• Enable all security features at new registrar

Emergency Unlock

If you need to unlock urgently but have issues:

Can't access account:

1. Use account recovery process
2. Contact registrar support with verification
3. May require government ID or business documents
4. Can take 24-72 hours for manual review

Can't find unlock option:

1. Check registrar documentation/knowledge base
2. Contact support via live chat or phone
3. Ask specifically for "transfer lock disable"

Unlock not working:

1. Clear browser cache and try again
2. Try different browser
3. Contact support immediately
4. May be server-side issue

Common Lock-Related Issues

Issue 1: "Transfer Rejected - Domain Locked"

Symptoms: Transfer request fails immediately with locked status error

Cause: You forgot to unlock domain before requesting transfer

Solution:

1. Unlock domain at current registrar
2. Wait 15-60 minutes for unlock to propagate
3. Request transfer again at new registrar

Prevention: Always unlock before beginning transfer process

Issue 2: "Can't Find Unlock Option"

Symptoms: No visible lock/unlock toggle in control panel

Cause: Different registrars use different terminology and interface locations

Solution:

1. Search registrar help documentation for "unlock" or "transfer lock"
2. Contact support and ask: "How do I disable transfer lock on my domain?"
3. Request they unlock it for you if you can't find option

Prevention: Familiarize yourself with registrar interface before you need to transfer

Issue 3: "Unlock Not Working"

Symptoms: Click unlock but status doesn't change

Cause: Browser cache, permissions issue, or registrar system problem

Solution:

1. Clear browser cache and cookies
2. Log out and log back in
3. Try different browser or device
4. Wait 1 hour and check again
5. Contact registrar support if still locked

Prevention: Use modern browsers and keep sessions fresh

Issue 4: "Domain Automatically Re-locked"

Symptoms: You unlocked domain but it's locked again before you could transfer

Cause: Some registrars automatically re-lock after 24-48 hours for security

Solution:

1. Unlock again
2. Immediately begin transfer process
3. Don't delay between unlock and transfer initiation

Prevention: Complete entire transfer process quickly after unlocking

Issue 5: "Can't Unlock - Registry Lock Active"

Symptoms: Unlock option grayed out or error says registry lock is active

Cause: Domain has serverTransferProhibited status (registry-level lock)

Solution:

1. Contact registrar support
2. Request registry unlock
3. May require:
   • Identity verification
   • Business authorization
   • Signed documentation
4. Wait 24-48 hours (or longer) for registry to process

Prevention: Understand which domains have registry lock before planning transfers

Domain Lock vs Other Security Measures

How does domain lock compare to other protections?

Domain Lock vs Two-Factor Authentication

Domain Lock:

• Prevents transfers even if account is compromised
• Blocks specific action (transfer)
• No ongoing maintenance

2FA:

• Prevents account compromise in the first place
• Protects all account actions
• Requires device/app access

Best practice: Use BOTH. They protect different attack vectors.

Domain Lock vs WHOIS Privacy

Domain Lock:

• Prevents unauthorized transfers
• Technical security measure
• Blocks domain theft

WHOIS Privacy:

• Hides personal contact information
• Privacy measure
• Reduces spam and social engineering

Best practice: Use BOTH. Privacy reduces attack surface; lock prevents exploitation.

Domain Lock vs Registry Lock

Domain Lock (Client):

• Set by registrar
• Easy to unlock (instant to minutes)
• Free with registration
• Good for most domains

Registry Lock (Server):

• Set by registry
• Difficult to unlock (24-48+ hours)
• Costs $100-$1,000/year
• Best for ultra-valuable domains

Best practice: Use client lock always. Add registry lock for domains worth $100,000+.

Domain Lock vs Strong Passwords

Domain Lock:

• Works even if password is stolen
• Prevents specific harmful action
• Last line of defense

Strong Passwords:

• Prevents initial account compromise
• First line of defense
• Protects all account aspects

Best practice: Use BOTH. Defense in depth requires multiple layers.

2025 Policy Updates

Recent changes to domain security and transfer policies:

ICANN Transfer Policy Updates (2025)

Change of Registrant Lock Period

Old policy: 60-day automatic transfer lock after registrant change New policy: 30 days (720 hours) transfer lock after registrant change

What this means:

• More flexibility for legitimate ownership changes
• Faster ability to transfer after purchasing domain
• Reduced lock-in period for new domain owners
• Balanced security with usability

When it applies: Effective for changes made after policy implementation in 2025

EPP Authorization Code Security Enhancement

New recommendation: Authorization codes should achieve at least 128 bits of entropy

What this means:

• Stronger, more random EPP codes
• Harder for attackers to guess or brute-force
• Aligns with RFC 9154 standards
• Better protection during transfer process

Impact: More secure transfers, longer/more complex auth codes

Regional Updates

.za Domains (South Africa): Domains.co.za became the first South African registrar to implement mandatory domain transfer lock for all .za domains effective April 1, 2025.

What this means:

• All .za domains now protected by default
• Must explicitly unlock before transfer
• Raises security baseline for entire .za namespace

Industry Trend

More registries worldwide are implementing default-on domain locking, making protection automatic rather than optional.

Frequently Asked Questions

Does domain lock prevent my website from working?

No. Domain lock only prevents transfers to another registrar. Your website, email, and all other services continue working normally with domain lock enabled. You can still update DNS, change nameservers at the same registrar, and manage all domain settings.

Should I keep my domain locked all the time?

Yes! Keep domain lock enabled 24/7 except for the brief period when you're actually transferring the domain. There's no benefit to keeping domains unlocked, and doing so creates unnecessary risk.

How do I know if my domain is locked?

Check your domain's WHOIS record for EPP status codes. If you see clientTransferProhibited or serverTransferProhibited, your domain is locked. Most registrar control panels also show lock status in domain management settings.

Can I transfer a locked domain?

No. You must unlock the domain at your current registrar before you can transfer it. The unlock is quick (instant to a few minutes), and you should do it immediately before beginning the transfer process.

What happens if I try to transfer a locked domain?

The transfer request will be immediately rejected with an error indicating the domain is locked or transfer-prohibited. You'll need to unlock it and submit a new transfer request.

Will domain lock prevent hackers from changing my DNS?

No. Domain lock specifically prevents transfers to other registrars. It does not prevent DNS changes at your current registrar. To protect against unauthorized DNS changes, use two-factor authentication on your registrar account.

Is there a fee to lock or unlock my domain?

No. Domain locking and unlocking are free features included with domain registration at all major registrars. However, registry lock (serverTransferProhibited) is a premium service that costs $100-$1,000/year.

How long does it take to unlock a domain?

Client lock (registrar): Usually instant, sometimes up to 15-60 minutes

Server lock (registry): Typically 24-48 hours, sometimes longer depending on registry verification requirements

Can registrar support unlock my domain without my permission?

Reputable registrars require strong identity verification before unlocking domains. However, this is why social engineering is a risk—attackers sometimes successfully impersonate domain owners. This is why combining domain lock with 2FA is essential.

Does the lock transfer to the new registrar?

When you transfer a domain, the lock status at the old registrar becomes irrelevant. Most registrars automatically enable domain lock on newly transferred domains, but you should verify this immediately after transfer completion.

What's the difference between domain lock and privacy protection?

Domain lock prevents unauthorized transfers (security feature)

Privacy protection hides your personal contact information from WHOIS (privacy feature)

They serve different purposes and you should use both.

Key Takeaways

Next Steps

Secure your domains with proper locking:

Immediate Actions (Today):

1. Check all your domains' lock status using WHOIS lookup or registrar dashboard
2. Enable domain lock on any domains currently unlocked
3. Verify EPP status shows clientTransferProhibited
4. Document lock status in your domain inventory

This Week:

1. Review registrar security settings for all domains
2. Enable two-factor authentication if not already active
3. Add WHOIS privacy to protect contact information
4. Set up domain monitoring to alert on status changes

This Month:

1. Create documented procedures for unlock/transfer process
2. Evaluate registry lock for high-value domains
3. Audit team access and ensure only authorized users can unlock domains
4. Test your security by attempting to view lock status from external WHOIS

Research Sources

This article was researched using current information from authoritative sources:

• EPP Status Codes - ICANN
• What you need to know about domain security and EPP codes - GoDaddy Blog
• Domain status clientTransferProhibited - Openprovider
• EPP Codes: Preventing Unauthorized Transfers - NameSilo Blog
• What do domain status codes mean? - OpenSRS
• The .co.za Domain Transfer Lock Update Explained