New verification requirement is bound to ensnare some notable websites.
ICANN’s 2013 Registrar Accreditation Agreement is slowly going into effect at major domain name registrars.
The biggest change that people who register domain names will notice is whois verification.
Starting January 1, when you register a domain name, you will have to verify your contact details with the registrar. Most registrars will send a verification email to you with simple verification instructions.
The domain name registration will be suspended if you fail to respond with 15 days. Practically speaking, this means your domain name registrar is likely to change the nameservers on your domain name to point it to a warning page, similar to what happens when a domain expires.
If a newly registered domain name is suspended, it’s no big deal. It’s unlikely to receive much traffic yet, anyway.
But the new RAA also requires verification if you change the name or email address of the registrant. That’s where things get tricky.
After reading the relevant sections of the RAA and speaking to a few knowledgeable people in the industry, it sounds like how the update verification and suspension will be handled is open to some interpretation.
eNom sent a notice to its resellers today informing them of how it will handle changes to the registrant. If the first or last name or email address changes, eNom will send a verification email. If the domain owner fails to click a link in the email within 15 days, the domain will be suspended and the nameservers changed.
It’s not hard to see where this is headed.
At some point in the not-to-distant future, a fairly big website is going to go down due to lack of Whois verification. A company will make a small change to the contact information but fail to verify it. Perhaps the verification email gets flagged as spam. Or an IT admin thinks its a phishing scheme. Or an intellectual property manager at a big company makes the change, then goes on vacation before receiving the verification email.
It’s bound to happen, and a lot of people are going to scream and point fingers when it does.
Ah, and I thought you had a particular “big web site” in mind. But “big web sites” don’t change admin emails that often, and when they do, they are not employee but rather, role based.
They don’t do it often. But there are enough of them that it will happen to someone. Kind of like having your nameservers hacked 🙂
When they change DNS, I hope they don’t put up PPC advertisements and add unknown UDRP / lawsuit risk unbeknownst to a domain owner.
Great point!
If they did; and a Lawsuit was launched the guilty party is the one ultimately navigating the conduct, with care & control.
Under such circumstances, it wouldn’t be the Owner of the Domain Name, it would be the Registry above the registrar.
I am wondering what may happens when one will push a domain to someone and this person will push it himself to another person within a short delay (before he receives the email asking for identity confirmation).
This may be a real problem for escrow services, attorneys or marketplaces/brokers playing the middle man or simply domainers flipping domains. This should produce many hassles…
“I am wondering what may happens when one will push a domain to someone and this person will push it himself to another person within a short delay (before he receives the email asking for identity confirmation).
This may be a real problem for escrow services, attorneys or marketplaces/brokers playing the middle man or simply domainers flipping domains. This should produce many hassles”
You just hit the biggest problem with this.
I am a domainer and I flip domains under 15 days of ownership many times and like you said brokers and escrow who may act as a middleman and take hold of a domain temporarily to secure a transaction could be in for a buttload of problems.
Just another headache to take on.
In a side note your title is missleading, I changed in domaning.com to:
Many websites may going to go dark thanks to ICANN’s new Whois verification
Your changing the title? What gives you the right to change someones title? I no longer read your blog because you’re an idiot
That it’s “missleading” is your opinion. This blog is editorial in nature and not strictly a “news” site. I’d call the title “catchy”.
Le mieux est l’ennemi du bien.
Bien dit.
Hopefully registrars will batch large groups of domain names into one email should someone make a Whois change to hundreds or thousands of domains at the same time.
So if I register 10 domains in one day at the same registrar using the same whois data, will they send 10 verification emails or will I be considered verified after the first confirmation? How will this effect drop catching services using dozens of registrars…
You should only get one. Unless they haven’t done a good job implementing the system.
totally retarded. what does this even accomplish?
It somewhat keeps law enforcement at bay, who have been pressuring registrars to do something.
i hope it won’t be a huge pain for those who own large numbers of domains. i haven’t read much about this but all it seems to do is ensure a working email address. i don’t see how it stops people from putting in other fake information.
Andrew, you are 100% spot-on. Someone is going to be taken down, and then find out there is no recourse for consequential damages.
Actual cyber criminals will find ways to pass verification like shit through a goose. Bona fide website operators with a typo in their Whois data, or who miss an email for any of the reasons you mention, are goin to get hit with this.
This is not a data-driven policy change. There was no impact assessment of this change on either cybercrime or unintended consequences.
We’ve already seen how the current Whois verification emails led to compromises by spoofing, just as the fake renewal notices have done. The relevant policy actors have that rare mix of ignorance, arrogance, and power.
You mean there’s a way for scammers to get free anonymous email accounts? That’s crazy!
As long as my [email protected] or gmail.com or @whatever.com mail account is ok to received mail it will be good.
There was a VERY easy and sensible solution to that issue. The fact that they chose suspending the domain instead can only mean that there was something to gain, esp. by registrars. Anyway, if they are so concerned about verification, the could make e-mail validation obligatory to process registrant’s details change. Without clicking the verification link, the details simply wouldn’t change, which seems way better than letting the change through and then suspending the domain…
As for new domain registrations, it would be a little more tricky, because every second can matter – but with new domain they might as well stick to their “verify or suspend” policy, since – as you wrote – it wouldn’t do as much harm. But again, if they are really so concerned about using the domains for spam, phishing etc. – they should make e-mail validation obligatory to enable delegation of the domain. 15 days is plenty of time if someone wants to use the domain for spam and then dump it.
@ pb – the registrars didn’t want any of this. Law enforcement pushed ICANN into doing this.
The idea of email verification to make a change is interesting. I know law enforcement wanted verification to occur before a domain could be used, but that would have been a mess in the typical domain name registration process. I think the issue with email verification to make a change is that adapting control panel systems to do this would be a pretty big burden. It wouldn’t be a burden on big registrars, but it would be to small registrars.
John is right, this will not refrain scammers but will adds the huge risk to stupidly lost a domain, plus additional work and worries.
Plus, what about unscrupulous registrars trying to take advantage of this new rule to get valuable domains from owners.
On top of that put the problem most registrars emails use to land into spam box, for Moniker for example it’s always!!! So if someone have a tip to avoid it he is welcome to share it there (I use GMAIL).
Worst! Some networks like AOL simply do not deliver emails if it contains a domain “blacklisted”, and trust me it happens often and for names you will not even imagine hos is it possible. So in this case you will never
receive the email notification.
Plus people are not aware of this. Yesterday I received an ENOM email 1 mile long about policy changes that for sure I did not read (imagine people that have a poor english knowledge) and moved it directly to the trashcan, so if it was the announcement then I missed, and like me a lot did probably the same.
Will come January and certainly most domain owners will not be aware of this:
In the past we all use to receive such identity checking notifications but because there was no obligation or no risk then we did not take care.
What will happen when one will receive such notice and will delete it like always without even read it?
It can be catastrophic for a LOT of sites owners!!!
I invite all domain bloggers to relay this information, I will also give more exposure to this to help.
I don’t believe that registrars can take ownership or delete domain names as a result of non-compliance. They can only suspend the domain names.
Regarding not having Moniker emails go into spam in Gmail, see this:
https://sites.google.com/a/vcu.edu/appsforvcu/gmail/how-to-whitelist-gmail-nevers-moves-to-spam-certain-contacts-or-domain
Thanks Andrew!
1. I’m sure Godaddy will charge a fee for non-compliance.
2. As stated above, registrars will find a way to take ownership of the more valuable domains.
3. It is very easy to set up blind ownership email addresses. As well as, blind ownership addresses and phone numbers. I’m sure someone will set up a business/service just to aid in the continuous of safe, blind ownership.
4. As it was implied above, this new rule is only going to hurt the innocent (or the unknowledgeable about domain ownership rules). The bad guys will adapt and thrive.
5. Registrars will increase registration/renewal fees using the excuse of increased domain verification procedures.
“In the past we all use to receive such identity checking notifications but because there was no obligation or no risk then we did not take care.”
I actually have a filter in my mailbox that puts all those WDRP mails directly to trash, where they belong… I wonder how many people do he same. Or even worse – mark them as spam. That would explain why Gmail and other mail operators treat them such as you wrote.
The identity checking emails dont make sense, if the address is wrong, they are sending an email to the wrong address to see if its wrong…..so bad address dont get fixed and you only get emails on names that have the correct address.
If Icann wants to push the moronity button further with this, then it is best for everyone that Registrars start building a notification control panel just for this, so that people don’t need to click on phishing emails, because I certainly won’t click.
If I have a message from my registrar, I have to have a notification inside my control panel to solve it out…
I think some registrars will send a code to you that you then have to login and use. There has to be some way for your to verify your email address (provided that is what you changed).
Andrew, in case of a domain transfer, that’s just adding another step to the process. If not, people need that notification panel and the code could be a nice idea. If you are changing an email and it’s not a domain transfer, you had to have the email at some point I guess.
But will they send the new email address an email as well?
Anyway, if something goes wrong, it won’t actually be the registrars fault, and that’s the scary part…
Totally pointless, no one’s going to register a domain with an email address they can’t access so what’s this going to change/prove? People can still easily put fake whois details in the forum and verify it with an email they have access to!
If any of my sites or clients sites go down due to this they can expect a letter from the solicitors for loss of earnings! And I’m sure many other sites and companies will feel the same!
Who is, “they?” The registrars? You indemnify them by signing up. Is it Verisign? Ditto. How about ICANN? ICANN operates with zero liability. Who is. “they?”
“the registrars didn’t want any of this. Law enforcement pushed ICANN into doing this.”
Are you quite certain? They made ICANN do *something* but who devised the method? And why did they go with this one, of many possible options?
As an operator of a registrar, I can assure you we certainly did not want any of this. I was personally on multiple webinars presented by ICANN for registrars, and I can tell you many people representing their registrars, including myself, objected loudly. These new verification requirements will cause many more problems than they will solve (some of which have been pointed out above). There is a major disconnect between those that set policies and those of us that run businesses. Further, related to these new rules, registrars were “represented” by a group of registrars (comprised almost entirely of the largest registrars in the world), and that group claims to have reigned in further problematic new rules. Of course, this group of registrars has their own motivations that many times do not reflect what is best for all registrars, or, more importantly, domain registrants and web site operators. There are many more changes ahead as more registrars implement the 2013 RAA. These changes seem to be a mixture of ICANN and the registrar working group keeping law enforcement temporarily satiated, and extreme over-reactions and useless rules to problems that largely do not exist. I feel sorry for many smaller registrars with limited capacity, and registrars and registrants whose native language is not English. There are also many new rules governing data collection and retention – some of which have already proven to be illegal in several countries. Registrars are also now required to maintain 24/7 resources for “legitimate” fraud/abuse complaints. There are also several changes regarding how resellers operate which will have a severe impact on many of their current business models. Hopefully the complaints get loud enough from the Internet community that ICANN retracts some of the 2013 RAA requirements. We have made the decision to not sign it until the very last minute possible.
What will happen after we click on the link in the verification email?
All what we should do is to click on the link? is there any further verification steps or pages to fill? or just a simple click.?
It’s up to each domain registrar to implement it. Some registrars might just have you click in an email. Others might give you a code you need to enter after logging back in to your registrar account. Watch out for phishing attempts.
Thx Andrew,
Is there any chance that the registrar will send a code as SMS to the registrant phone or call the registrant to tell him the code? I think I read this in the ICANN as an option, “email or phone”?
Yes, SMS and phone calls are allowed per the RAA. As Andrew said, it is up to each registrar to determine their authentication mechanism(s). We will likely be using email and SMS with a fallback for phone calls.
What will happen if one my customers uses an outdated phone number? Is the registrar will allow me to update the Whois data and change the phone number to a a valid one.. or the registrar will suspend the domain directly?
Well Andrew.
My web site has been down for over a week now
Its asking me to enter a number code, then says a e.mail
is being sent to my e.mail address, but no mail is received.
On contacting web server, they say they have sent a verification code
but this also does not arrive.
There is no junk mail and web addresses have been white listed.
Pulling my hair out , as I do not know what to do to get site back up.
http://www.waltonindoorbowlsclub.com
Gary
Well here is a sample. Happened to me today. I am a reseller for a registrar. One large client transferred their email to another provider. When this happened, the Whois contact for one domain out of 36 they had was a person no longer with the company. ICANN sent the notice, 15 days go buy and bam, site goes down. We reinstated the email, the registrar resent the verification, we performed the steps and here we are 30 hours later and the site is still pointing to a St. Petersburg Russia DNS awaiting reinstatement. I am sure this is going to happen again with a large domain. It is a very bad system.
it’s just happened to me know… whats the point of this !
I got mine back by changing my e.mail address, for some reason, it did not come back to my hotmail one, so set up a yahoo account and bingo I got the code and site was back up in 10 minuets
Same happened here… we have a large adserver and someone made an update, can’t fine the person around to verify and we have been trough 4 million impressions on a domain that is pending…..so shitty
Which domain name is currently down so I can see the registrar error message?
We just got hit at a client. Messages ended up in the spam box.
I’m thinking class-action lawsuit for loss of business against ICANN and all of the representative registrars involved in creating this.
“Who is, “they?” The registrars? You indemnify them by signing up. Is it Verisign? Ditto. How about ICANN? ICANN operates with zero liability. Who is. “they?” ”
They only have zero liability until a court says that they don’t. And when millions of dollars of losses are involved I guarantee there will be a court that says they are liable.
Dan
Enom is selectively targeting parked traffic domains with these new rules.
I call on an industry boycott of domainers — not to deal with enom anylonger. someone needs to send these idiots a message.
AND WHATEVER YOU DO, IF YOU DO NOT WISH TO BOYCOTT, DO NOT REGISTER A .CO.UK DOMAIN THRU INTERNET.BS
as they are targeting all domains for Valid ID photocopy thru this registry in particular as a means of suspension. F*ck Enom! they suck, and are just a bunch of crooks looking for reasons to justify taking “domainer’s” domains
away.
Again — BOYCOT ENOM! AND ALL .CO.UK REGISTRATIONS COMPLETELY
AND LETS SEND THESE CROOKED REGISTRIES A MESSAGE WHO ARE ATTEMPTING TO RUIN OUR INDUSTRY.
WHO NEEDS A 5 CHARACTER EXTENSION ANYWAY. Really.
.CO.UK it’s a joke and I will never enter it into my browser ever
again.
Im totally on board with a ENOM boycot! Enom in particular has been targeting valuable traffic domains to take away thru the suspension process for the last several months.
They don’t take domain names away, and eNom gets no benefit from suspending domain names for invalid whois. So trust me, they aren’t targeting high traffic sites to do this.
Well all 5 of my .com domains got suspended on Sept 5th. All of the involved parties, including the ICANN have failed to a) inform me of their new (idiot) rule, b) failed to send my validation e-mails and c) failed to support me in this matter in any manner. I am so angry now:
I spend 3 days researching what has happened to my domains, due to the weekend in between I had no customer service to provide me with information. When I finally did get a reply, the idiot blamed me premium theme for the blockade. I kept pointing him to DNS issues and complete blocking of both my 5 domains and their e-mail accounts. He should have been able to see that it was due to suspension. NOH!!! I needed to google my ass of to figure out what this shit was. And this shit that I am is ICANN. Companies like these, that are so called guard dogs should be mandatory to INFORM ALL DOMAIN OWNERS prior to their stupid rule changes. If I had known this in jabuary 2014 I would not have bought 2 more .com domains and would have advised my clients not to do it either. Oh and lets not forget I can not change or undo anything to speed up the end of suspension because my hosting provider does not show my domains as suspended in the Admin panel.
This is an invasion of my property (my domain is my property be it virtual, I bought it, I maintain it, I have it as my main tools for business promotion). And here I thought I was hacked. Anonymous? NOH!! A legal organisation called ICANN. They should be suspended from the web’s existence! Organisations like these and their infiltrating habits are the real danger!
So after all the hubub, and the ranting and raving, it appears that most registrars have assented the 2013 RAA (http://www.internic.net/alpha.html) and now this rule is being enforced en masse, most recently at netfirms.com (which is not even listed on the internic list).
It’s clear that one cannot fight ICANN or the large registrars, and what’s best to do is implement the best possible verification scheme possible. But surely these sort of policies need a bit more thought going forward. Are we really going to use an email address as a way to validate whether the information is valid. Surely there needs to be some higher level way to authenticate domain name information to avoid fradulent registrations and moves.
It happened to me (and a large number of other domain owners, according to the ISP/registrar). I validated my email address in May 2015, but the domain was suspended today apparently because the domain privacy protection email address (supplied by the registrar) had not been validated.
Here is my letter to ICANN
I have just got off having spoken to 3 customer tech support agencies dealing with 3 seperate web hosting services trying to find out why my website had been down for over 4 days.
My website is 10 years old and suddenly “went down” for no apparent reason on Friday August 21st, 2015.
What happened was that 10 years ago when I first registered my e-mail address I had used an old e-mail that I no longer use.I had received a “verification” email to this address, but did not receive it as it was not longer being used by me.
So after 4 days of contacting tech support and other agencies, we finally traced it back to where I had orignally purchased my domain name. Where upon I had to “verify” that I was the owner.
You know security is a real cover for taking away democratic rights and freedom. This ploy has been used since time began and is still being used today.
When an organization like ICANN can cause webmasters to “obey” a simple rule such as “verification” and have their websites turned off for no apparent reason, they will continue to enroach on our freedom using this technique. This means in the future new “verification” rules will gradually creep into being, and possibly more money having go from webmasters pockets to ICANN. The same process occured with the automobile, first registration, than driver’s licences, than insurance and so on. ICANN wants to make the internet the same way.
YOUR NEW VERIFICATION RULE STINKS! of TYRANNY.
My domain won’t renew as it says ICANN registration failed, I am sure my service provider missed to check the link. What can I do now? Who to contact and what to do?