Tracking the provenance of a domain name has gotten much more difficult in the last several years. GDPR and registrar changes (like GoDaddy removing public facing Whois records) make it impossible to match an email address to a Whois record, particularly when a broker or seller approaches a buyer offering to sell a domain name. For instance, if I buy a GoDaddy-registered domain name from someone who acquired it in 2018, it would not be possible to see the email address of the registrant now or in 2018.
An unclear provenance on a domain name adds more risk to domain name acquisitions.
The issue of provenance almost disappears when it comes to expiry and drop catch domain name auctions. When I buy an expired domain name on GoDaddy Auctions or NameJet, I know that the registrant let the domain name expire for some reason that doesn’t really matter. Likewise, when I buy a fully expired and deleted domain name at DropCatch or NameJet, the same thing is true.
In terms of provenance, not only can I show a typically public auction record, but I am also able to show a purchase receipt from the auction platform which identifies the acquisition as an expiry or drop catch auction. Further, when it comes to deleted domain name auctions, the Whois creation date is very recent, limiting the provenance of a domain name even further.
One thing to keep in mind is that the issue of provenance is not eliminated simply by buying a domain name at auction. Most auction platforms allow private sellers to list their domain names for sale. I do not believe auction platforms do enough due diligence on the provenance of a domain name. As far as I know, most platforms simply confirm the current registrant email is the same as the auction seller. These auctions are typically identified as a private seller auction in some manner. Buyers must still do their own due diligence on these auctions.