Domain anti-theft best-practices
a big company is trying to find the best way to protect its domain.
What is the best practice to solve the following concerns:
- The account at the registrar website (GoDaddy/NameCheap/etc.), let's call it from now on the
owning accountwill probably use company's email (e.g. [email protected]). But this creates a circular dependency, because let's say that the domain was not renewed for some reason, the company's email might also not work (e.g. no access to the mailbox when resetting the password). - The employee owning the owning account's email, might decide to harm the company by transferring the domain to his account, or releasing it.
?
A solution I thought of, but don't know it exists: Does any registrar website (GoDaddy/NameCheap/etc.) support multi-email approval for harmful actions (let's say 3 predefined emails of the company will have to approve such suspicious actions)?
Some generic advice:
You will always get a renewal email sent long, long before the domain expires (usually months). Stop this from being a problem by using auto-renewal. Auto-renewals usually go through a month or so before the domain is due to expire so you have plenty of time to fix any billing issues if the payment fails.
Pay for the domain for the longest possible period. 10 years if you can. This can cause issues because in 10 years someone has to be around to know how to manage the domain and make sure it's renewed properly, because your billing information will have changed in the previous 10 years (I've never seen a credit card with a 10 year expiration date).
Domains cannot be transferred between registrars without a mandatory waiting period, and you should receive multiple notifications about the transfer giving you plenty of time to stop the transfer.
As for an insider threat: There is honestly not that much you can do about this apart from what you do for your other services. If you have a rogue internal employee, they can make sure they are in control of the mailbox that receives the notifications, and they can approve the transfers and then delete the evidence. You can find out after the fact, of course, but by then it's too late.
There are specialist registrars (e.g. https://www.markmonitor.com/ - not an endorsement) that deal with these sorts of issues so they certainly do exist.