Performing due diligence is a critical task before buying a domain name in the aftermarket – both private acquisitions and even on auction purchases. With GDPR in force, doing the necessary due diligence is more difficult, and as time goes by, it will become even more challenging. One area of due diligence that should not be overlooked is related to the registrant’s email address.
One (devious) way people have been known to take possession of a valuable domain name is to gain control of another domain that is used for the Whois information. For example, let’s say the Whois email address for DomainInvesting.com is Elliot@ExampleDomainName.Global. If ExampleDomainName.Global expires, someone else could register it. Depending on the account settings, they could set up the Elliot@ email account and do a registrar password reset for the Elliot@ExampleDomainName.Global email address. Assuming that is the public and private email address on file, they could then change the registrar password and theoretically gain control of the domain names in that account.
I have seen this play out numerous times over the years. The person who controls the domain name related to the Whois email address may be able to take possession of the registrar account via password resets. As far as I am aware, this would not allow them to get legal possession of the domain names, but with control of the registrar account, they could go about selling domain names within the account. Unless the real registrant notices quickly, the domain names could be sold to someone else.
When doing due diligence, I like to do a Whois history search on the domain name in the registrant email address. Obviously this would not be necessary with a free service like Gmail or Hotmail, but I like to double check to ensure it doesn’t look like the domain name associated with the registrant email had recently changed hands or was just registered.
If I notice something funky, I will ask more questions of the seller and possibly use the older contact information to connect with the former registrant on the phone or through an older email address.
Taking control of a Whois email address is one tricky way to get possession of a domain name, and performing due diligence on the associated domain name is just another step to take when buying a domain name.