
ICANN's new rules for domain registrants require you to verify an email address - alexbilbie
https://iwantmyname.com/blog/2014/01/icanns-new-rules-for-domain-registrants-require-you-to-verify-your-contact-details.html
======
nitinag
Competitor registrar here. This is actually required by the new 2013 ICANN
contract. Not all registrars are on the new contract yet, but those that have
already signed are required to start following it as of January.

Link: [http://www.icann.org/en/resources/registrars/raa/approved-
wi...](http://www.icann.org/en/resources/registrars/raa/approved-with-
specs-27jun13-en.htm#whois-accuracy)

You can thank the law enforcement lobby and ICANN wanting to keep them happy.
All of us registrars fought hard against it for a number of obvious reasons,
but they went forward with it anyway.

Almost all registrars will be on the new contract soon if they already aren't
because ICANN made it a requirement to be able to sell the new GTLDs. This is
now going to be a normal part of owning a domain name.

~~~
rossjudson
Can you clarify what the 'obvious reasons' are, for those who are not domain
experts?

~~~
belorn
Example 1: You are a large company, and registered 200 domain names for
various products, spellings, local shops and such.

That is 200 verification emails, which now need to be pressed or whoops, no
more working web shop, email!, and internal API will stop working and so on.
Remember that broken DNS will cause emails to bounce rather than being resent
later by the mail server.

Example 2: A company is changing name/owner, and in middle of all this need to
register new domain name. Whoops, forgot to activate in all that?

Example 3: technical contact is on vacation.

~~~
talideon
Your first example isn't correct. As with the existing WDRP emails that people
receive, registrars can batch the verifications. Also, verification doesn't
need to be done on a domain-by-domain basis, but on a contact-by-contact
basis, thus if all 200 domains use the same one contact in all roles, only one
verification needs to be done.

Of course, if your registrar doesn't manage contacts as separate objects from
domains (and some don't), they yeah, you'll end up getting a boatload of
verification emails.

You'll also start finding a bunch of registrars doing email address checks to
ensure deliverability _before_ any registrations or contact updates are
performed: this is for the customer's good and the registrar's good.

Registrars have to make a best effort to contact the customer by email. That
means that if the email _does_ bounce initially (due to DNS issues, full
mailbox, &c.), it's up to the registrar to try again until the grace period
expires.

Your second one isn't correct: if your contact has already been verified,
there's no need to verified again. It's only if the contact is new or updated
that verification needs to be done.

In the third case, you should be using _roles_ , not individuals. Mail aliases
were invented for a reason: no one person should be receiving these emails, so
it's really your own tough luck if you're a business and you're not ensuring
that there's somebody always able to receive and process the emails. Moreover,
verification happens when a contact is created or updated, so it should be an
address with somebody _immediately_ able to process the verification request.

As far as my ability to write authoritatively on the subject goes, I'm the
development lead for a registrar, and implemented most of our domain
management system myself.

------
larrys
Registrar here.

Here is the applicable rules. As nitinag pointed out this only is for
registrar's who have signed the 2013 RAA. Registrars still under the 2009 RAA
are not bound by this. (At some point they will have to sign the new RAA and
they will right away if they want to sell (as was pointed out) the new f TLDs.

[http://www.icann.org/en/resources/registrars/raa/approved-
wi...](http://www.icann.org/en/resources/registrars/raa/approved-with-
specs-27jun13-en.htm#whois-accuracy)

While I can't speak for what other registrars will be doing these ICANN
policies in the past tend to leave plenty of wiggle room and the ability to
game the system (by registrars) if they want to.

Specifically:

"In either case, if Registrar does not receive an affirmative response from
the Registered Name Holder, Registrar shall either verify the applicable
contact information manually or suspend the registration, until such time as
Registrar has verified the applicable contact information. If Registrar does
not receive an affirmative response from the Account Holder, Registrar shall
verify the applicable contact information manually, but is not required to
suspend any registration."

------
rip747
To quote the source: ====================

Verify: the email address of the Registered Name Holder (and, if different,
the Account Holder) by sending an email requiring an affirmative response
through a tool-based authentication method such as providing a unique code
that must be returned in a manner designated by the Registrar, or

the telephone number of the Registered Name Holder (and, if different, the
Account Holder) by either (A) calling or sending an SMS to the Registered Name
Holder's telephone number providing a unique code that must be returned in a
manner designated by the Registrar, or (B) calling the Registered Name
Holder's telephone number and requiring the Registered Name Holder to provide
a unique code that was sent to the Registered Name Holder via web, email or
postal mail.

In either case, if Registrar does not receive an affirmative response from the
Registered Name Holder, Registrar shall either verify the applicable contact
information manually or suspend the registration, until such time as Registrar
has verified the applicable contact information. If Registrar does not receive
an affirmative response from the Account Holder, Registrar shall verify the
applicable contact information manually, but is not required to suspend any
registration. ====================

So there are other methods that ICANN outlines in order to verify the account
holder information to activate the domain, not _just_ an email address like
the article states.

------
billpg
I already get all sorts of emails sent to the address listed on whois. Most,
if not all, are outright scams. So now one of those will actually be genuine?

But which one?

~~~
abjorn
The one from your domain registrar, I would imagine.

~~~
billpg
I have a separate secret mailbox for them to use.

I get plenty of emails in my whois-listed mailbox that purport to be from my
registrar. Guess how many are genuine.

~~~
talideon
Basically the same way you tell if any email you receive is genuine and not a
phishing attempt.

Also, consider using your registrar's WHOIS privacy service, if they provide
one: your registrar only has to ensure the details you provided are genuine,
and those can be masked in WHOIS.

------
slashdotaccount
We need decentralized DNS (like Namecoin) systems. Properly implemented
cryptography and decentralization is the only hope for the free internet to
remain free.

~~~
anoncow
But do people want a free internet? People are looking for a medium they can
profit from. And we are shortsighted by default.

~~~
SkyMarshal
People != People

------
kijin
How will this affect registrars that offer to hide your email address behind a
randomly generated and periodically rotated address that forwards to your own?

For example, NameCheap' WhoisGuard service has an option to rotate the email
address every 30 days. If I subscribe to a service like that, will I have to
verify the randomly generated address every time it is rotated?

~~~
thirsteh
Namecheap and their whoisguard have already been sending out annual or bi-
annual emails asking you to confirm that the address details are correct, but
it sounds like those emails will contain some confirmation link in the future.

~~~
kijin
That was not my question.

Right now, they only ask for confirmation once a year regardless of whether
there has been any change of contact info. But OP makes it look like I'll have
to verify my email address _every time it changes_ , and one of the main
features of WhoisGuard is that the email address in my whois changes _all the
time_.

If I tell NameCheap/WhoisGuard to rotate my email every day (probably
overkill, but it's possible), will I wake up every morning to find a new
confirmation link in my inbox?

~~~
nitinag
You'll only have to confirm any underlying email changes in your example.
However, the new ICANN contract also mandates a yet to be defined "Privacy and
Proxy Accreditation Program", which will bring changes to the different whois
privacy services that registrars currently offer.

------
huhtenberg
This doesn't look like verifying contact _details_.

It looks like verifying a contact _email address_ , which is nothing new and a
routine with most registrars anyways.

~~~
aeden
The difference is that the registrar is now _obligated_ to shut down any
domains where the registrant changes first name, last name or email address
and does not verify the email address using the link from the sent email. This
is why it's such a big deal.

------
unethical_ban
One other has clarified, and it's important: Email is pseudonymous, and that's
all that is required. Frustrating, but not quite as speech-quelling as
addresses and phone numbers.

Oh, and you bought that domain with a credit card.

~~~
trentmb
Do registrars not accept pre-paid cards?

~~~
unethical_ban
I haven't tried personally, but most of the time now one cannot purchase or
use a prepaid card without associating it to an address.

You know, for turrursm.

~~~
MichaelGG
Associating an address is as easy as Googling "1 Main Street" in whatever town
you'd like, and grabbing the zip code. There's no real verification to it.

------
uptown
Are these formal ICANN rule-changes, or just how iwantmyname is choosing to
enforce the verification aspect of domain ownership? Seems like what they're
saying they may do is replace your domain with some lead-generation landing-
page similar to what many domain registrars do upon registering a new domain
prior to modifying the DNS settings.

~~~
devicenull
It's almost certainly just them. You'll note that you haven't heard of any of
the other registars talking about this.

~~~
aeden
No, this is incorrect - it is part of the new Registry Registrar Agreement
that ICANN ratified earlier this year. It goes into effect 1 January. All
accredited registrars will have to agree to it this year to retain their
accreditation.

------
salient
I blame Google for this. Yes, there were others who pushed "real name
policies" before, but it wasn't until Google when they _really_ forced people
to do it, and now that they got away with it, others are taking the example
from them, and doing the same.

~~~
rossjudson
Real name policies greatly benefit the community as a whole. Of course we all
see that there is a rare need for anonymity, but it should be far from the
default. I wish the net could be divided into two halves -- "Willing to put my
name behind what I write", and "Anonymous Cesspool".

~~~
Sanddancer
Tell a transperson that. Or an abuse survivor. Or someone with HIV trying to
get information. There are many, many, many situations where requiring real
names is harmful to a community. As a further counterexample, look at news
sites which use facebook comments as their backend. People are quite willingly
assholes even if their "real" name is behind what they write.

~~~
rossjudson
As I said, there is a rare need for anonymity, and it should exist -- on the
'anonymous net'. Anonymity is abused far more often than used.

------
Istof
Can the registrars send an automatic reply on behalf of their customers?

~~~
talideon
No. That wouldn't constitute verification and validation of contact details,
and registrar are required to verify and validate any contact details provided
to them. It's the _registrar_ that's contacting the customer, not some other
third party who they deal with.

------
squintychino
How will this affect current domain squatters? Will they be required to follow
this when they renew these domains? Or is this just for new registrations
moving forward?

~~~
talideon
It doesn't, aside from it being more difficult for them to hide behind invalid
contact details, which should make it easier for others to initiate UDRP
proceedings against them.

As soon as they register a new domain with a registrar under the 2013 RAA or
if they update their contact details, they'll be forced to validate them.

------
marincounty
ICANN needs to lower their price per domain. I don 't think they originally
thought so many people would buy a domain? Or, just got greedy?

~~~
talideon
If anything, it's the registries who will need to lower their cut. They have
the largest margin out of ICANN, the registries, and the registrars. The
registrars, however, are the ones who are going to end up hurting because the
onus to check all this stuff is on us, and margins for registrars are thin as
it stands.

------
zAy0LfpBZLC8mAC
But isn't it still possible to use an address at the newly-registered domain?
And what's the point then? Or, if not, how broken is that?

------
coherentpony
Is there a way to register a domain name completely anonymously?

~~~
talideon
No, not any more, and strictly speaking there hasn't been one for quite some
time. Your registrar needs to have accurate contact details for you, but you
can use their WHOIS privacy service (if they provide one) to ensure the rest
of the world doesn't have your contact details. Before the 2013 RAA, you were
_still_ required to provide accurate contact information, it's just that the
onus was on the registrant, not the registrar, to ensure the contact details
were accurate unless the registrar or ICANN received a complaint about the
accuracy of the contact details associated with a domain.

------
crististm
What would it take to have a p2p DNS?

~~~
jpalomaki
Check Namecoin and dot-bit [http://dot-bit.org/Main_Page](http://dot-
bit.org/Main_Page)

------
absconditus
Why are so many of you upset by this?

~~~
marincounty
I'm not--but I don't like what they charge per domain. I can deal(go else
where)with Godaddy, but I can't deal with fixed costs.

------
bachback
15 days. I am literally stunned. so if you go to long holiday you might come
back and your site is .. banned. way to go on free speech.

~~~
wtallis
There's absolutely no reason to be stunned, surprised, or disappointed that
not finalizing a transaction within two weeks will result in discontinuation
of the service.

These verifications don't show up out of the blue. They're only for when you
create or modify a domain registration. If you change your domain records less
than an hour before going off-grid for an extended vacation, you deserve the
consequences.

