Just a gentle musing on the concept of domain name management, website hosting, and email.
From time to time, I receive phone calls about an apparent website hijacking problem: the caller’s website appears to have either been wiped from existence or an unexpected web page appears, albeit the unexpected web page may appear as a domain name for sale or domain name registrar under construction page.
Maybe you know where I’m going with this . . . It’s about domain name verification. In my experience, domain-related verification outages are more likely than hosting company or regional service outages and can take days longer to resolve than most hosting service outages.
The good news is that these domain name verification issues can be easily mitigated by making a simple change to your domain name’s settings. We’ll discuss strategies for mitigating domain name verification outages later in this article.
In case you are not familiar with today’s domain name verification requirements and why this subject is so important, let’s start with a little history and a case example.
In 2014, the Internet Corporation for Assigned Names and Numbers (ICANN) decided that all domain names must have a valid and verified registrant email address associated with each domain name. Initially, this requirement was well received. That policy helped reduce the problem of domain name hijacking that was rampant at that time.
Then, in the later 2010s, ICANN began adding additional requirements, such as requiring the verification of physical address changes as well. Initially, change verification requirements were fairly passive, in that without verification within a short period, the change request would simply be denied by default. More recently, since around 2020, domain name registrars began instituting an email verification-by-clicking a-link policy.
Since ICANN has required all registrants have a legitimate and working email addresses associated with their domain names and have for more than a dozen years, the policy seems rather reasonable on the surface. Only one problem: email management is not so black and white. Spam filters and domain name registrar infrastructure problems do prevent email from either being seen or arriving at all. So, what to do . . .
Calling back to a client’s website hijacking concern and why this situation is often confused for hacking, or worse. Often these outages occur without warning. When a domain name is not appropriately verified and is “suspended” by the registrar, the question of what’s going on is often not so obvious. Due to page caching, some visitors may continue to see the website loading without error, while others may see a blank page (while the domain is propagating to the registrar’s suspension web page), and still others may see the domain name registrar’s “domains for sale” page.
In the case of GoDaddy, for instance, the situation may go a bit like this: First, the owner of the site begins receiving phone calls or emails regarding the site displaying as down or showing a “funny page.”
The website owner then begins to notice emails not arriving as expected and may begin to see their website displaying either a blank page or a web page with words like “Get This Domain” and/or links to their competitors’ websites in the body of the page. If you’re unfamiliar with what domain name registrar parking or suspension pages look like, these pages can look very hacker-like.
At about this point, the website owner freaks out and begins calling anyone who’ll listen: friends, neighbors, web designers, and any website security company with a phone number, all in an attempt to figure out what is going on.
“Has my site been hacked or hijacked?!”
Hours may pass while propagation of the domain to the domain name registrar’s domain name parking page completes, and the situation becomes clearer. At which point everyone involved begins singing the same tune: “Something’s wrong at the domain name registrar,” “Something’s wrong at the domain name registrar,” “Something’s wrong at the . . . “
With GoDaddy, the situation often spirals into hours-long waits to reach someone by phone or chat. In case you’ve not personally experienced GoDaddy chat sessions, they usually start with having to navigate through a bot decision tree until a person is reached. Invariably, once a knowledgeable support person seems ready to explain what’s going on, the connection will mysteriously drop, with support person #1 disappearing, and a new person appearing who seems oblivious to what you just spent the last 30 minutes chatting about—and around and around it goes.
Into the fourth hour of the website being down, the domain name owner may begin to understand that the situation occurred due to Bobby Sue’s changing some contact record at the registrar. And with no one noticing the email from the registrar sent to the registrant’s email address, or that email never arriving at all, the domain name was not so summarily suspended by the domain name registrar and will remain so until the link is clicked within the email verification email message.
Since verification is tied to the domain name’s registrant email contact address, guess what happens when the email contact address (e.g., [email protected]) uses the same domain name as the domain name that’s been suspended (domainY.com)?
Answer: 1 to 3 days of downtime.
In GoDaddy’s case, changes made to verify changes to contact information, like changing the registrant’s email address from, for example, [email protected] to bob[email protected], may take as long as 72 hours.
Tangentially, this same lesson applies to WordPress logins as well. For instance, if you have a WordPress website, be sure to choose an email address other than your WordPress website’s domain name address as your WordPress administrator user email address as well (e.g., [email protected]). In the long term, you’ll be glad you did.
Domain name update verification failures are the most likely and easily preventable outages your website will experience in this decade.
To be forewarned is to be forearmed.
If you make a change to your website’s domain name and do not respond to the verification request you could find your website offline for days.
Watch for that email and click that link!
* ICANN Verification and Authentication – Domain Management, https://www.domain.com/help/article/domain-management-icann-verification
* Verifying contact information for ICANN Validation, https://www.godaddy.com/help/verifying-contact-information-for-icann-validation-8948