Red Lock on Chain Fence Illustrates Domain EPP Code for Security

What you need to know about domain security and EPP codes

11 min read
Greg Oprendek

Domain security is important for any domain owner, but especially so for domain investors and businesses. The first protection you should know how to use is built into the most basic management of your domain: the EPP code.

Without proper protection like this auth code, your domain name could be open season for hijackers and impersonators who can steal it away from your account, leaving you little, if any, recourse to get it back.

This guide will help you protect your domains from fraud or theft by introducing you to the domain industry’s best security practices. There are default security methods that come standard with every domain purchase, and others that can be added for extra domain security.

Here’s what this guide will cover:

  • What is an EPP code?
  • How does an EPP code secure my domain?
  • How do I get the EPP codes for my domains?
  • What other ways can I protect my domain?

Ready to jump in? Let’s go.

Related: Domain security best practices

What is an EPP code?

Sometimes called an auth code (abbreviated from authorization code), auth-info code, or transfer code, an EPP code is a unique identifier that is assigned to each domain name. EPP codes come standard as a security method for all domain names.

You can retrieve an EPP code for any of your domains through the registrar where you currently manage your domain.

The EPP code appears as a random string of letters and numbers. Each domain you manage will have its own unique auth code, and any registrar that receives a request to transfer in your domain will need the code to verify ownership of a domain in order to start the transfer.

Related: How to transfer your domain name to GoDaddy

How does an EPP code secure my domain?

Think of the EPP code for each domain in your portfolio like the deed to a house. In order to transfer ownership of your domain or move your domain from the management of one registrar to another, you must provide the EPP code or auth code first.

The EPP code assigned to your domain(s) acts as an additional password, giving you a clear, irrefutable way to prove ownership of your domain. Essentially your EPP code centralizes the control over your domain to one specific contact, leaving no room for malicious actors to seize the domain without account access.

The biggest threat EPP codes safeguard against is domain hijacking.

This happens when a bad actor gains unauthorized access to the control panel of a domain, allowing them to change the settings. This includes transferring the domain’s ownership to another registrar or to another person.

Hijackers may try any variety of identity theft methods to gain unauthorized access to your domains, but without access to your account, the hijacker will be thwarted.

Your auth code acts like a password, which stands as a line of defense against their attacks. The hijacker would need the correct auth code in order to steal or transfer the domain.

Related: Domain name ownership tips

How do I get the EPP codes for my domains?

Each of your domains comes standard with its own corresponding EPP or auth code, which is generated by your registrar at the time you create the domain. Your EPP code stays securely locked away in your account until it is required if you choose to make a transfer or ownership change on your domain.

You can retrieve your EPP code yourself by simply following your registrar’s instructions on requesting the auth code for your domain(s), which are usually listed in their help documentation, just like you find at GoDaddy.

Per regulation implemented by the Internet Corporation for Assigned Names and Numbers (ICANN), EPP codes are only given out to the contact listed in the WHOIS information on the corresponding domain.

In practice, this means that anyone who can access your domain management account can retrieve auth codes for your domains, so adding extra layers of security to both your domain account and your domain names is highly recommended.

What other ways can I protect my domain?

Barb Wire Fence Security Camera Illustrates EPP Code for Domain Security

There are many options available to secure your domain in addition to EPP codes. Let’s look at a few (listed in order of highest security) and go over their various uses.

1. Registry lock

Placing a registry lock on your domain adds two layers of security to your domain before any changes or transfers can be made to it. When a registry lock is applied, no attributes of your domain are changeable and no transfer or deletion transactions can be processed, with the exception of renewals.

For example, if you registered and added a registry lock, and then wish to move or transfer ownership of the domain, you must work with your registrar, who will then in turn work with the XYZ registry (operator of the .xyz domain extension) to lift the registry lock.

Having both registrar and registry work together before a change is made to your domain adds two extra sets of security checks and prevents hijacking by placing strong barriers between your domain and the potential thief.

Though this is just an example case, XYZ is one of the domain registries that supports registry lock for its entire family of domains:


If you have a name registered with any of XYZ’s extensions, you can apply registry lock today and keep your domain safe.

2. Registrar lock

Similar to registry lock, registrar lock applies a status code to your domain that prevents any modification of it including transfer or deletion, an important note for domain investors and businesses who secure long term registrations.

Depending on the features provided by your registrar, initiating a registrar lock can also prevent modification of the domain’s contact details or DNS settings.

In addition to the EPP code, having a registrar lock on your domain makes it more difficult for the domain to be quickly transferred to another registrar, a common first step that domain hijackers will take.

3. Privacy protection

WHOIS data, or the contact information associated with a domain upon registration, is available as a public record. If you've registered a domain without WHOIS privacy protection, anyone on the web can easily look up your domain in a WHOIS search tool and find your contact information.

In addition to your personal information being public, including your physical address, this can invite spam, or worse, domain hijacking.

WHOIS privacy protection makes this data private, so it is not available publicly via WHOIS search.

Once privacy protection is enabled, anyone running a WHOIS search on domains you own will be able to see only non-identifying details about your domain, like the creation (or registration) date and the date the domain is set to expire. Your name, email address, physical address and country will all remain private.


You may be familiar with the little green lock seen in most browser’s URL bars. This means you are browsing a site that has an SSL certificate and has enabled HTTPS, which encrypts the data being transferred between your computer and the site.

When you load a site with a URL using HTTPS, hackers cannot snoop on information being transmitted between you and the site you are visiting.

This prevents them from doing things like reading the information you submit in forms (credit card numbers, addresses, etc.) or making any false changes to the content of the site as you view it. At the highest levels, HTTPS can help to certify the identity of who is on the other end of a website.

Having HTTPS enabled on your site is critically important if you are looking to generate traffic to your domain.

Customers need to know they can safely access your site without fear of risking valuable private information or being exposed to malicious action.

Check what level of authentication your SSL certificate provides, and be sure you have the level you need for your site.

5. Two-factor authentication

Two-factor authentication (2FA) security systems are rapidly becoming a requirement for many email and other online services. The system works by adding a requirement that a passkey or code be entered before accessing a domain manager’s account.

When logging in to make changes to a domain name in an account with 2FA, an authorization code is sent to an address that only the true domain owner should be able to access.

By entering a password and verifying the specific code sent via the 2FA system, you are proving twice that you are truly the owner of the account.

You can enable two-factor authentication on your GoDaddy account, or you can use a third-party authentication service like Google Authenticator, which allows you to store authorization codes in an app on your phone.

Related: What is two-step verification?


Woman Typing on Laptop Represents Domain Security Practices

The DNS (Domain Name System) is the backbone of online communication in every form, from emails to website URLs to fetching images. It takes user-friendly information, like a website address, translates it into code, and guides that information to the correct location to resolve the content you requested in your browser.

If you are planning to use your domain as a way to harness the power of the DNS naming system, for example by using a domain like to give a custom name to your cryptocurrency wallet, then DNSSEC is an important feature you should enable.

DNSSEC adds an extra layer of protection to your domain by allowing it to cryptographically sign your DNS records.

This “handshake” system will then use the public key possessed by your domain’s registry to verify the cryptographic signature. Domains equipped with DNSSEC must match the key listed on the DNS in order to be accessed.

This auth code prevents the use of spoofing techniques to mask a malicious site as a safe one when it resolves.

You can think of DNSSEC in simple terms as the SSL of domain names, but with a much stronger fraud check system that increases the difficulty of intercepting information when a visitor accesses your domain or website.

7. SPF Record

If you use your domain to send and receive email, SPF is a helpful tool to prevent spammers from sending other, malicious mail via your domain.

SPF uses the DNS to allow you to choose which email servers your emails are authorized to be sent from.

This prevents spammers from spoofing your domain name and sending bogus emails with your domain in the “From” field.

It also helps prevent your emails from being marked as spam or disregarded because of malicious action on a server you are using.

When you send an email from a domain using SPF, email servers will verify that the sender is legitimate using an SPF record that you previously published in the DNS. This SPF record lists the email servers that you previously determined to be authorized senders.

Having a properly set up SPF record builds trust in emails coming from your domain.

It also helps protect against malicious emails being sent on a server connected to your domain, which can help you avoid many inboxing issues for outgoing mail.


Taking the short amount of time required to set up security measures that protect your domains is well worth the effort. While being knowledgeable about EPP or auth codes is a great start, cybercriminals are constantly seeking to develop new methods of theft and fraud.

Enacting enhanced security measures on your domains will help protect them from different vulnerabilities and help you to do the best you can to protect your piece of the internet.

Now that you’ve educated yourself on how to keep your domain names protected, keep the ball rolling and make sure you are safe online wherever you go by following these best practices for staying safe on the web.

Developing strong cybersecurity habits is key to protecting your most valuable assets and information online. Armed with this knowledge, you can confidently protect your domain assets and focus on making the most out of your domains.

Products Used

Domains Blog Ad Image
DomainsLearn more