How ICANN's new Domain WHOIS Verification Policy is Going to Make your Life More Stressful

Those ICANN emails you ignore? You absolutely cannot anymore.

The site below was a fully working website just moments ago - but new ICANN domain name rules caused this.

If you are not careful, any legitimate domain-holder can also experience the same outage...

To be clear this has nothing to do with web services, payments or denial of service. It was just suspended at the domain level. It wasn't due to an evil cyberattack from hackers or ne'er-do-wells or even a missed domain renewal.

The registrant of the domain name, probably the website owner or manager had overlooked an email in his or her inbox, where they needed to validate a link from someone he didn't know. Sounds peculiar? It is.

This is the result of ICANN's new email verification policy and procedure.

This user – as users will always need to do – had updated their WHOIS data (the official registrant data) of their domain name. She had updated their physical address and the registrant email of the domain name. This has always been a smooth, quick process at your domain registrar. ICANN's new rule and enforcement has significant repercussions, when you ignore it or even miss it innocently.

ICANN now has an email verification process to ensure that registrant data is correct. For example, you change your WHOIS registrant data, you will receive an automated email from your registrar. This is auto generated, when the WHOIS update is completed.

You MUST click the validation link in the email, otherwise the domain name will be suspended. Some instances within after 72 hours, others within 15 days.

Why ICANN wants this versus how it works in the real world

ICANN's change in the registrar Agreement believes that having registrants verify their data is going to result in a better-managed "accountability" of all internet "identities". means that your domain registrar (whether it is iTristan Media Group, GoDaddy, EasyDNS etc.) has to send you an email with a validation link in specific situations. They will relate to all generic top level domains (.com, .net, .org etc. plus the new ones like .club, .berlin etc.) that fall under the authority of ICANN, which is not all top level domains by the way (more about this later) :

1. If you register a new domain name and your registrant data is not already in the WHOIS database. (It might be the first time you register a domain name, or you might use different data such as a new bricks and mortar address, telephone or email).
2. If your existing domain names have WHOIS data which seems to be incomplete or suspicious.
3. If you make a domain owner change at your domain registrar.

ICANN's registrar agreement details: note the last phrase. "Registrars must suspend or delete domain names that are not timely verified".

ICANN says it's a "great step forwards towards more transparency". It certainly is a burden on both domain owners and registry providers – you could call it an over reaction, which can have grave consequences. For all those times where people ignore, forget or simply don't understand what their reminders mean, there will be an inevitable deluge of panicked support tickets and calls throwing support staff and systems into a frenzy of activity – the kind of activity that cost a lot of money that in turn gets put back onto business owners.

The newly implemented Whois Data Reminder Policy (WDRP) last year, was the precursor to this – an email send out once a year to all domain registrants requesting that they review and update their WHOIS data. Everyone ignored it, disregarded it and almost never took action because of it. Imagine now what happens when they get burned for that inaction.

Three big problems caused by the new rules 

1. As mentioned above, registrars and registry providers now have a very big support and administrative load to carry in order to verify if registrant data is correct, and to ensure that registrants update their WHOIS data.
2. Scammers have a new phishing channel.
3. Domain owners risk that their domains will be suspended due to ignoring (or missing) one email with grave consequences. This means that their website goes down even if the email ends up in the spam filter – suspended domain names will be removed from the existing DNS. What would the consequences be of your website shutting down for hours or days?

So please read on and understand what you have to do to follow ICANN's new rules.

How this works in the real world : a.k.a. what you have to do

Let me answer the most common questions in the following:

1. Which top level domains require email validation according to ICANN's new registrar agreement?

This new validation includes all existing generic top level domains (.com, .net, .biz etc.) and the new specialty top level domains, which are coming out at the moment such as .consulting, .club, .berlin, .blog and .marketing. There is no validation needed for country code top level domains like .ca, .de and .co.uk which are not under the authority of ICANN.

2. Why would I receive one of these validation emails?

There are four instances where you will need to respond to one of these messages: 

1. For new domain registrations (not country code domains)
2. Any domain transfers coming into your account.
3. Whenever you make changes to your registrant information in the WHOIS.
4. If your existing WHOIS data is not correct (ficticious brick and mortar address, non-working registrant email, non formatted telephone) – (this would not be a good idea in the first place anyway)

3. How am I going to be notified of the email validation?

Whether you make a change to the WHOIS information or register a new domain name, an email is send to the email address in the WHOIS of the original registrant (if there was one). So if you change email addresses, then it will go to the old email of the registrant, where you will receive the email with the validation link - not to the new email address.

There is no requirement to re-verify email addresses once they have been successfully verified.

4. How does the email verification work in practice?

An email will be send to the owner/registrant from your registry. If it is registered here, it will come from domains@itristanmedia.com. The email contains a link to be confirmed. Please note that if your owner email is already verified once, then you will not be sent a verification when you register new domain names with the same contact data as long as it is within the same unchanged profile.

When you click the link in your email, you will be taken to a landing page confirming that the verification has been successful. The domain will stay unverified until your email has been verified.

When the owner email has been verified, in up to 15 days, the domain will automatically become delegated to the name servers configured.

5. OK, so what could possibly go wrong?

1. If you don't respond to the email verification, new domain names will remain inactive, and existing domain names will be suspended – even if they had once been active or verified.
2. For new domain registrations the domain name remains inactive until you have verified it. The status of those new domains will be listed as ClientHold in the WHOIS. If you haven't acted on the verification within 15 days, then you will have to request a new email from your domain registrar.
3. If you make an owner change, and you forget to verify the domain name, then the domain name will be parked on other dns.
4. This means that if you use it for a website, then the website will go down until reactivated..
5. If WHOIS data are not correct today and we notify you, then you have 15 days to get them in order, or the domain name will be suspended.

No response after 15 days and registry providers are obliged to terminate or suspend a domain name according to ICANN.

6. What you can do pro-actively?

You should check the WHOIS data of your domain names. You can check it at whois.com. If you have several domain names, then contact us or your registrar. We will be able to retrieve a report for hundreds of domain names. Take note if the email, phone number or postal address are incorrect and contact your registrar to update these WHOIS data. Make sure that your registrar's emails don't end up in your spam filter.

At the End of the Day

ICANN's wants to ensure more transparency. This is laudable but has backfired with these registrar verification procedures. These rules will create inevitable moments of panic for business owners that believe they are set up properly but could face significant downtime regardless.

This can have grave consequences such as a website going down or people losing access to their email, as the dns is removed until the link has been validated. In turn this will result in lost revenue, lost productivity and serious stress.

Additionally it puts an extra burden on domain registrars, which have to ensure that domain registrants are informed and act upon these validation links.

And the one thing ICANN has forgotten is that it also opens the door for scam artists, who will send similar looking phishing emails to domain name registrants looking to get a click or two to hijack a brand.

This is Your Intellectual Brand Property

Be informed, know what is real in domain management and ask questions if something looks odd or out of place. At least it is proactive and your registrar would rather answer one pre-emptive question than have your business go down for something as silly as this.