• Blog

How ICANN's new Domain WHOIS Verification Policy is Going to Make your Life More Stressful

27 May, 2015

Those ICANN emails you ignore? You absolutely cannot anymore.

The site below was a fully working website just moments ago - but new ICANN domain name rules caused this.

If you are not careful, any legitimate domain-holder can also experience the same outage...


WDRP ICANN verification outage


To be clear this has nothing to do with web services, payments or denial of service. It was just suspended at the domain level. It wasn't due to an evil cyberattack from hackers or ne'er-do-wells or even a missed domain renewal.

The registrant of the domain name, probably the website owner or manager had overlooked an email in his or her inbox, where they needed to validate a link from someone he didn't know. Sounds peculiar? It is.

This is the result of ICANN's new email verification policy and procedure.

This user – as users will always need to do – had updated their WHOIS data (the official registrant data) of their domain name. She had updated their physical address and the registrant email of the domain name. This has always been a smooth, quick process at your domain registrar. ICANN's new rule and enforcement has significant repercussions, when you ignore it or even miss it innocently.

ICANN now has an email verification process to ensure that registrant data is correct. For example, you change your WHOIS registrant data, you will receive an automated email from your registrar. This is auto generated, when the WHOIS update is completed.

You MUST click the validation link in the email, otherwise the domain name will be suspended. Some instances within after 72 hours, others within 15 days.


Why ICANN's wants this versus how it works in the real world


ICANN's change in the registrar Agreement believes that having registrants verify their data is going to result in a better-managed "accountability" of all internet "identities". means that your domain registrar (whether it is iTristan Media Group, GoDaddy, EasyDNS etc.) has to send you an email with a validation link in specific situations. They will relate to all generic top level domains (.com, .net, .org etc. plus the new ones like .club, .berlin etc.) that fall under the authority of ICANN, which is not all top level domains by the way (more about this later) :

  1. If you register a new domain name and your registrant data is not already in the WHOIS database. (It might be the first time you register a domain name, or you might use different data such as a new bricks and mortar address, telephone or email).
  2. If your existing domain names have WHOIS data which seems to be incomplete or suspicious.
  3. If you make a domain owner change at your domain registrar.

ICANN's registrar agreement details: note the last phrase. "Registrars must suspend or delete domain names that are not timely verified".



ICANN says it's a "great step forwards towards more transparency". It certainly is a burden on both domain owners and registry providers – you could all it an over reaction, which can have grave consequences. For all those times where people ignore, forget or simply don't understand what their reminders mean, there will be an inevitable deluge of panicked support tickets and calls throwing support staff and systems into a frenzy of activity – the kind of activity that cost a lot of money that in turn gets put back onto business owners.

The newly implemented Whois Data Reminder Policy (WDRP) last year, was the precursor to this – an email send out once a year to all domain registrants requesting that they review and update their WHOIS data. Everyone ignored it, disregarded it and almost never took action because of it. Imagine now what happens when they get burned for that inaction.


Three big problems caused by the new rules

  1. As mentioned above, registrars and registry providers now have a very big support and administrative load to carry in order to verify if registrant data is correct, and to ensure that registrants update their WHOIS data.
  2. Scammers have a new phishing channel.
  3. Domain owners risk that their domains will be suspended due to ignoring (or missing) one email with grave consequences. This means that their website goes down even if the email ends up in the spam filter – suspended domain names will be removed from the existing DNS. What would the consequences be of your website shutting down for hours or days?

So please read on and understand what you have to do to follow ICANN's new rules.


How this works in the real world : a.k.a. what you have to do

Let me answer the most common questions in the following:

1. Which top level domains require email validation according to ICANN's new registrar agreement?

This new validation includes all existing generic top level domains (.com, .net, .biz etc.) and the new specialty top level domains, which are coming out at the moment such as .consulting, .club, .berlin, .blog and .marketing. There is no validation needed for country code top level domains like .ca, .de and .co.uk which are not under the authority of ICANN.

2. Why would I receive one of these validation emails?

There are four instances where you will need to respond to one of these messages: 

  1. For new domain registrations (not country code domains)
  2. Any domain transfers coming into your account.
  3. Whenever you make changes to your registrant information in the WHOIS.
  4. If your existing WHOIS data is not correct (ficticious brick and mortar address, non-working registrant email, non formatted telephone) – (this would not be a good idea in the first place anyway)

3. How am I going to be notified of the email validation?

Whether you make a change to the WHOIS information or register a new domain name, an email is send to the email address in the WHOIS of the original registrant (if there was one). So if you change email addresses, then it will go to the old email of the registrant, where you will receive the email with the validation link - not to the new email address.

There is no requirement to re-verify email addresses once they have been successfully verified.


4. How does the email verification work in practice?

An email will be send to the owner/registrant from your registry. If it is registered here, it will come from domains@itristanmedia.com. The email contains a link to be confirmed. Please note that if your owner email is already verified once, then you will not be sent a verification when you register new domain names with the same contact data as long as it is within the same unchanged profile.

When you click the link in your email, you will be taken to a landing page confirming that the verification has been successful. The domain will stay unverified until your email has been verified.

When the owner email has been verified, in up to 15 days, the domain will automatically become delegated to the name servers configured.


WDRP Verification


5. OK, so what could possibly go wrong?

  1. If you don't respond to the email verification, new domain names will remain inactive, and existing domain names will be suspended – even if they had once been active or verified.
  2. For new domain registrations the domain name remains inactive until you have verified it. The status of those new domains will be listed as ClientHold in the WHOIS. If you haven't acted on the verification within 15 days, then you will have to request a new email from your domain registrar.
  3. If you make an owner change, and you forget to verify the domain name, then the domain name will be parked on other dns.
  4. This means that if you use it for a website, then the website will go down until reactivated..
  5. If WHOIS data are not correct today and we notify you, then you have 15 days to get them in order, or the domain name will be suspended.


No response after 15 days and registry providers are obliged to terminate or suspend a domain name according to ICANN.


6. What you can do pro-actively?

You should check the WHOIS data of your domain names. You can check it at whois.com. If you have several domain names, then contact us or your registrar. We will be able to retrieve a report for hundreds of domain names. Take note if the email, phone number or postal address are incorrect and contact your registrar to update these WHOIS data. Make sure that your registrar's emails don't end up in your spam filter.


At the End of the Day

ICANN's wants to ensure more transparency. This is laudable but has backlashed with these registrar verification procedures. These rules will create inevitable moments of panic for business owners that believe they are set up properly but could face significant downtime regardless.

This can have grave consequences such as a websites going down or people losing access to their email, as the dns is removed until the link has been validated. In turn this will result in lost revenue, lost productivity and serious stress.

Additionally it puts an extra burden on domain registrars, which have to ensure that domain registrants are informed and act upon these validation links.

And the one thing ICANN has forgotten is that it also opens the door for scam artists, who will send similar looking phishing emails to domain name registrants looking to get a click or two to hijack a brand.


This is Your Intellectual Brand Property

Be informed, know what is real in domain management and ask questions if something looks odd or out of place. At least it is proactive and your registrar would rather answer one pre-emptive question than have your business go down for something as silly as this.

Comments (24)

  1. Pamela Dabney:
    Dec 06, 2015 at 12:31 AM

    It is serious and has happened to me twice. I thought the web host registrar was picking on me since my stroke.
    The email looked liked spam the first time, so I did ignore the messages and was shut down. The second time, I received no warning at all and was shut down . It happened twice within two months of updating the domain name registration. I hope this helps someone else.

  2. Jason:
    Jan 06, 2016 at 07:15 PM

    Yes exactly. There is almost no awareness on the importance of these verification messages, so domain owner see warnings as background noise. What makes it such a stressful situation is that it takes down the owner's domain, which is by far the biggest problem and stress. But it also adds to the registry company stress load as well (that's us, by the way) when it loads up otherwise innocent domain owners who are understandably freaking out over why their site has gone down. The registry support people then add to their workload explaining why everything's gone south. And then helping to fix the situation. Everyone loses.

  3. Paul Shadwell:
    May 31, 2016 at 11:05 AM

    I have a domain that I only use for email.
    I got the verification email but thought it was spam, then I stopped getting emails but didn't notice because I was on holiday.
    Then I was waiting for some critical emails and nothing was happening so I then started investigating, only when I went to EuroDNS did I then see the message. I verified the emails but then realised that all my zone settings were gone.
    This is UTTER BS, ICANN sucks, surely when I renew my domain I am verifying my account. Goodness knows how much potential business I have lost now. Thanks for nothing ICANN.

  4. dan:
    Jun 09, 2016 at 12:28 PM

    thanks very much for this explanation. thought for sure it was phishing spam or worse a drive-by randsomware attack. glad I took the time today (the last day!) to actually investigate.

  5. Joe Mama:
    Jul 24, 2016 at 11:52 PM

    It's all about control... these are just the first steps.

  6. Kris:
    Sep 21, 2016 at 09:42 AM

    Namecheap still safe btw,
    I register new domains a couple days ago, and don't get any ICANN email,
    and after I read this, I tested to change my address, and don't get any ICANN email to verify too.

    My friend domain get suspended because he moved to a new house and not update his current address, they said my friend address is fake, but his domain register is not namecheap.

  7. Jason:
    Sep 21, 2016 at 10:53 AM

    Yes, how your registrar implements the ICANN policy is another **huge** variable in this equation. We're hearing so many different stories on what people are or are not receiving from their registrar. It's just so so confusing already that people don't know what the emails are about anyway, never mind receiving or not receiving everything you need.
    And really for the most part, unless you're working with a real off-the-wall-can't-get-in-touch-with-them-mystery-type registry provider, registrars are generally a decent bunch, but may not be helping you very well with how they're implementing this policy for ICANN. It just might be *that* onerous.

  8. Jason:
    Sep 21, 2016 at 10:54 AM

    Dan, you're welcome – probably pretty clear that we're getting inundated by confused domain owners so it seemed like a good time to try to bring order to chaos - sort of.

  9. mj Ostrum:
    Oct 31, 2016 at 02:34 PM

    Too Damned confusing!

    Thanks for this posting. I hate it, but it explains it all.


  10. Gary Robison:
    Dec 15, 2016 at 08:42 AM

    I deleted my email from ICANN, now the website is down, how do I get it back?

  11. Jason:
    Dec 16, 2016 at 09:42 AM

    Gary, generally you don't actively (deliberately) delete directly from ICANN. Your registrar or registry provider updates ICANN based on your status as active, expired and so on. Only then ICANN takes action.
    But, if you somehow have done this, you will need to – ASAP – renew your domain. Probably best to do this with your original registry provider but really it can be anyone as long as the domain is not completely deleted from the account then you have a good chance of getting it back.
    But be quick!

  12. Matt R:
    Mar 22, 2017 at 03:29 PM

    I agree, this is Utter BS. Namecheap shut down our company domain that has been active for over 15 years. I made a change to our domain email address because our IT guy left the company. I never received ANY notification to verify this change. Namecheap said they sent it to the old email address, WHY NOT SEND IT TO BOTH OLD and NEW!! If the person left the company, how would I get the darn email. But, I kept the email active for the person that left. He was the company admin so we kept it active for this kind of reason. It turns out that Namecheap NEVER sent an email for the verification process. I searched for it and didn't find it because THEY NEVER SENT IT!!. So in short, our company domain was shut down on a Saturday! I didn't know about it till late Sunday night and by the time I figured it out on Monday what was going on and contacted Namecheap, it took till Thursday to get everything back up and running. Because they shut it off on a Saturday and let two whole days go by made matters worse. Our domain was removed from DNS servers all over the world because they did this on a Saturday. Why did they wait and shut it off on a Saturday? I think they like shutting domains down. If they shut it off during business hours, I would have been able to prevent the domain from being removed from all over the world. Also on that Monday, I found out that NAMECHEAP DOESN'T HAVE A PHONE NUMBER. What company doesn't have a phone number? Hey NAMECHEAP, how about pick up the phone (oh that is right you don't have one) and/or Send a certified letter (add the cost of the letter to the next domain renewal) or even send a regular postal letter explaining what will happen if the verification process is not done and don't wait till Saturday. How about they notify their customers about these new changes. ICANN and all Registrar's should have been mandated by the government to notify every domain owner of this ridiculous rule. For what it is worth, don't do business with a company "NAMECHEAP" that doesn't have a phone (cheap is in their name, that should tell you something) and does not care about their customers. A company that doesn't go the extra mile for its customers. See the RAA at the beginning of this page, even ICANN says you may receive a phone call, email or US Postal Letter. NAMECHEAP took the CHEAP way, they choose email. Email that never makes it to the user. Find another registrar that has a phone and will go the extra mile.

  13. Matt R:
    Mar 22, 2017 at 03:32 PM


    Gary deleted the email that was sent to him. He was very clear.


  14. Jason:
    Mar 22, 2017 at 04:13 PM

    Thanks Matt, you know I just read Gary's message differently – I thought he'd meant that he'd deleted his email account (which of course makes no sense).
    But you're right of course he meant the email message; don't know why I thought otherwise.

  15. eric:
    Apr 06, 2017 at 01:30 PM

    our company got our hosted websites shutdown as a result of this too! We were on godaddy, they didn't do anything like this. Is namecheap the only ones following icann's rules? I'll switch back to godaddy if they don't do this. DNS actually takes HOURS to mostly flush through the internet, some places a full 24 hours.

  16. Jason:
    Apr 06, 2017 at 03:23 PM

    Eric, fairly sure there are no exceptions, even for GoDaddy. It may have been that the rules weren't in full effect at that time. For us (shameful self-promotion) at iTMG we do follow all the ICANN rules but do communicate rather religiously with clients as well as have support ready to answer questions and address confusion when it arises around this.
    Interestingly it hasn't been as big an issue as we'd expected – although the pain points certainly hurt when it hits home.
    As for DNS, I can't see most reasonable expectations for changes being more than an hour *tops* – our internal expectation (and experience) is mere minutes.

  17. Jim:
    Apr 11, 2017 at 02:59 PM

    This is fantastic! A company I haven't worked for in 5 years had my personal mobile phone number on their new domain registrations. As a result whenever they registered a new domain I'd get tons of phone calls from people offering me web services.
    I first called my old employer and asked them to remove my mobile phone number from their domain contact info. When they didn't I submitted a form through ICANN, 24 hours later ICANN sent the request to Godaddy, 48 hours later I spoke with Godaddy and they removed my phone number from all their domains.
    I don't know or care if their domains will be suspended since they now show 000-000-0000 as the contact number. I do care that I will no longer be getting calls from the bottom feeders that scrape new domain whois data.

  18. Phil R:
    Apr 14, 2017 at 09:44 PM


    Very annoying rules... I did transfer a domain name to another registrar. Since a whois privacy was on when I clicked the validation link sent to the privacy e-mail which in fact is me. It ended to the new registrar with the good Contact informations except for the Registrant ID. I did turn off the whois privacy after. So now, whenever I try to update Registrant Informations, an e-mail is sent to an unreachable mailbox. I made a Icann complaint. Now waiting, dealing with new registrar and hoping for a solution.

    Have you ever seen a problem like that before?

    Thank you

  19. Monah:
    May 15, 2017 at 02:01 PM

    Two years ago I switched Internet Providers and went to all the companies I do business with and updated my email address, including my website host, Homestead. This weekend, May 14th, my domain got put on a client hold. Homestead did not provide ICANN with my updated information and they sent verification to a provider I haven't used in two years. Homestead denied it was their job to do so, but refunded me a paltry sum; an admission of guilt. When I developed my website, I did all communication through Homestead, including paying yearly for my domain name. ICANN was enacted December of 2016, just five months ago and my email was changed two years ago. ICANN was provided the wrong information by Homestead. They offered several lame excuses that it was my responsibility to contact ICANN. If this was true, why did I have to provide a photo ID and proof of address to Homestead compliance department? This entire business of domain names and ownership is a complete jumbled mess and the right hand hasn't a clue what the left is doing at the expense of the customers and their businesses.

  20. Jason:
    May 15, 2017 at 06:12 PM

    Hey Phil, we *have* seen odd things happen with transfer no question. Though I also should qualify that increasingly when we transfer in new domains to us things are pretty smooth well over 90% of the time (with the exception of people approving all the acknowledgement emails, which is always up in the air).
    In some cases , with very small registrars (probably companies that shouldn't be full fledged registrars and just be happy being registry providers), we have had pretty strange interactions with, like you're describing.
    As you indicated, as long as your info on your domain account was valid, ICANN should then automatically be appraised through the system – which is what we do. It's pretty rare that we need a client to actually interact with ICANN or CIRA or any registrar body – I can only vaguely recall needing to contact the .mx registry provider, which was definitely odd.

  21. Jason:
    May 15, 2017 at 06:29 PM

    mj Ostrum - YES! Indeed, this post has been getting so much attention it's kind of sad really.
    We wanted to post something to at least acknowledge that this whole restructuring of their validation model was just going to be such a large problem, especially considering it was going to be responsible for downtime – which means interfering with livelihoods.

  22. Charles okechukwu:
    Dec 23, 2017 at 08:34 AM

    I registered my domain name with Web4africa and I did not receive any warning emails and now my domain name has been suspended. I've tried to login to my client account at web4africa but it has been unsuccessful as I am always told incorrect login details. I tried recovering my password but I am told they cannot recognize my email address. I've tried contacting their support but I've not received any answer and they've not answered my calls to their support line. So I've been unable to verify my email address since I didn't get the email message and can't login to my client account anymore. Please what can I do to unsuspended my domain name.

  23. Simba:
    Dec 23, 2017 at 10:28 AM

    This is stupid, specifically because there is no way to protect people from phishing E-mails. Significant changes like this should not proceed until security concerns have been properly addressed.


  24. Jayaraj Chanku:
    Mar 17, 2018 at 02:57 AM

    Excellent post. Of-course these set of rules feels like a new burden, there are some advantages too. So I think we have to take this stress as a new challenge and do our best. Thanks for sharing this article. I liked this post.

Allowed tags: <b><i><br>Add a new comment: