Domains aren’t stuck at the registrar where you registered them. You can transfer a domain to any ICANN-accredited registrar — and given the price differences, service quality variations, and consolidation benefits, people do it all the time. But the transfer process is deliberately cautious, built with multiple safeguards against unauthorized moves.
Understanding how transfers work will save you from surprise delays, accidental lockouts, and the frustration of a transfer that fails at step four.
Why Transfer?
Common reasons for transferring domains between registrars:
- Better pricing: Registrar A charges $15/year; Registrar B charges $10
- Consolidation: You have domains spread across five registrars and want them in one place
- Better features: Moving to a registrar with superior DNS management, API access, or security features
- Company changes: Acquisitions, mergers, or team reorganizations
- Dissatisfaction: Poor support, aggressive upselling, or reliability concerns at the current registrar
The Auth Code (EPP Code)
The authorization code (also called EPP code, transfer key, or auth-info code) is the password that protects your domain against unauthorized transfers. This code is managed through the EPP protocol that underpins all registrar-registry communication. Think of it as the domain’s secret handshake.
Every domain has an auth code set when it’s registered. It’s stored in the registry database and shared only with the current registrar and registrant. To transfer a domain, you need this code — without it, the transfer is rejected.
Getting Your Auth Code
The process varies by registrar, but typically:
- Log into your current registrar’s control panel
- Navigate to the domain’s management page
- Look for “Transfer,” “Authorization Code,” or “EPP Code”
- Request the code — some registrars display it immediately, others email it
- Some registrars generate a new code on each request (for security)
Some registrars make this deliberately cumbersome — hiding the option, requiring phone verification, or adding multi-day delays. ICANN policy requires registrars to provide the auth code upon request, but enforcement is imperfect.
Auth Code Security
- Auth codes are typically 6-16 characters, alphanumeric with special characters
- They should be treated like passwords — don’t share them publicly
- Some registries rotate auth codes periodically
- Compromised auth codes are the primary vector for domain hijacking
The 60-Day Transfer Lock
ICANN policy imposes a 60-day lock that prevents transfers in two scenarios:
- After initial registration: You cannot transfer a domain within 60 days of first registering it
- After a previous transfer: You cannot transfer a domain within 60 days of its last transfer
Additionally, some registrars impose a 60-day lock after changes to the registrant’s name, organization, or email (known as a Change of Registrant lock). This lock was introduced in ICANN’s 2016 Inter-Registrar Transfer Policy to prevent social engineering attacks where a hijacker changes the registrant email, then initiates a transfer confirmed to that new email.
The registrant can opt out of the Change of Registrant lock at some registrars, but it requires explicit action.
The Five-Step Transfer Process
Here’s how a standard gTLD domain transfer works, step by step:
Step 1: Preparation at the Losing Registrar
Before initiating a transfer, prepare the domain at your current (“losing”) registrar:
- Unlock the domain: Remove
clientTransferProhibitedstatus - Obtain the auth code: Request it from the registrar
- Verify contact email: Ensure the registrant email is correct and accessible — transfer confirmations go here
- Check eligibility: Confirm the domain isn’t within the 60-day lock period
- Disable WHOIS privacy (if required): Some registrars require disabling privacy before transfer; others handle it transparently
Step 2: Initiation at the Gaining Registrar
At the new (“gaining”) registrar:
- Search for the domain and select “Transfer In”
- Enter the auth code
- Pay the transfer fee (usually includes a 1-year renewal)
- The gaining registrar submits a transfer request to the registry via EPP
Step 3: Registry Notification
The registry receives the transfer request and:
- Validates the auth code
- Checks EPP status codes (if
serverTransferProhibitedis set, the transfer is blocked) - Notifies the losing registrar of the pending transfer
- Starts a 5-day countdown
Step 4: Confirmation Window
During the 5-day pending period:
- The registrant receives email notifications about the transfer
- The losing registrar can approve (instant transfer) or reject the transfer
- If neither acts: The transfer automatically completes after 5 days
This is the step where transfers stall. If the losing registrar rejects the transfer (with cause — like a dispute or fraud allegation), the process stops. If the registrant’s email is wrong, they never see the confirmation request.
Most legitimate transfers complete by automatic approval after 5 days. Some losing registrars proactively approve quickly; others let the clock run.
Step 5: Completion
When the transfer is approved (or auto-approved):
- The registry updates the registrar of record to the gaining registrar
- Domain data (contacts, nameservers) transfers to the gaining registrar
- A 1-year renewal is added to the domain’s registration (up to the 10-year maximum)
- The 60-day post-transfer lock begins
- Both registrars are notified of the completion
Critical note: DNS typically continues working throughout the transfer. The nameservers don’t change unless you change them manually at the new registrar. If you were using the losing registrar’s DNS hosting, however, they might delete your DNS records — always configure DNS at the gaining registrar before the transfer completes.
Transfer Timeline
Day 0: Unlock domain, get auth code
Day 0: Initiate transfer at gaining registrar
Day 0: Registry validates, notifies losing registrar
Day 1-5: Pending period (5-day countdown)
Day 5: Auto-approved if no action taken
Day 5: Transfer complete, 1-year renewal added
Day 5-65: 60-day post-transfer lock
Total time: typically 5-7 days. Can be faster if the losing registrar proactively approves.
Transfer Rejections and Disputes
Legitimate Rejection Reasons
A losing registrar may reject a transfer if:
- The domain is within the 60-day lock period
- There’s an active UDRP (domain dispute) proceeding
- The registrant has an outstanding payment dispute
- The domain has
serverTransferProhibitedstatus (set by the registry, not the registrar) - There’s evidence of fraud or unauthorized access
Illegitimate Rejections
Some registrars have historically rejected transfers without valid cause — essentially holding domains hostage. ICANN’s Transfer Dispute Resolution Policy (TDRP) provides a mechanism for resolving these disputes, though it’s slow and expensive.
Signs of bad-faith transfer obstruction:
- Requiring phone calls to “verify” transfer requests (delay tactic)
- Auto-rejecting transfers and blaming “security protocols”
- Making auth codes difficult to find or request
- Adding unnecessary verification steps not required by ICANN
If your registrar consistently obstructs transfers, file a complaint with ICANN’s registrar compliance team.
The FOA (Form of Authorization)
Prior to 2023, ICANN required the gaining registrar to send a Form of Authorization email to the registrant, who had to explicitly confirm the transfer. This was a security measure but caused delays when emails went to spam or outdated addresses.
ICANN’s updated Inter-Registrar Transfer Policy (IRTP-C, effective 2023) replaced the FOA with auth-code-only verification for most transfers, streamlining the process while maintaining security through the auth code itself.
Bulk Transfers
When organizations need to move hundreds or thousands of domains, the standard one-by-one process is impractical. Bulk transfers are handled through:
Registrar-to-Registrar Bulk Transfer
Many registrars offer bulk transfer tools that accept CSV files of domains and auth codes:
domain,auth_code
example1.com,Abc123!@
example2.com,Xyz789#$
example3.net,Def456%^
The registrar processes these as individual transfers but with automated submission and tracking.
BTAPPA (Bulk Transfer After Partial Portfolio Acquisition)
When one registrar acquires part of another registrar’s portfolio (common in mergers), ICANN’s BTAPPA process allows mass transfer without individual auth codes or the 5-day waiting period. This requires ICANN approval and ensures registrants are notified.
Change of Registrant (Not a Transfer)
Sometimes what looks like a transfer is actually a change of registrant — updating who owns the domain without moving it to a different registrar. This is governed by ICANN’s separate Change of Registrant policy and involves:
- Current registrant initiates the change
- Both old and new registrant must confirm via email
- The 60-day transfer lock applies after the change
Transfer Costs
The economics of domain transfers:
- Gaining registrar: Charges a transfer fee (typically $8-15 for
.com), which includes a 1-year renewal - Losing registrar: Receives nothing — the transfer fee goes entirely to the gaining registrar and registry
- Net effect: The registrant pays for the transfer but gets an extra year added to their registration
Some registrars offer transfer-in discounts to attract domains from competitors. The first-year transfer price might be lower than standard renewal, making transfers financially advantageous.
Key Takeaways
- Auth codes protect domains against unauthorized transfers — keep them secure
- 60-day locks prevent transfers after registration, transfer, or registrant changes
- The 5-step process: unlock → initiate → registry notifies → 5-day pending → complete
- Transfers take ~5-7 days and include a free 1-year renewal
- DNS continues working during transfer unless the losing registrar removes your records
- Configure DNS at the gaining registrar before the transfer completes
- Bulk transfers are possible via CSV tools or ICANN’s BTAPPA process
Next, we’ll clear up one of the most common points of confusion in the domain world: the difference between domain registration and DNS hosting.