How to Read a WHOIS Record
The WHOIS record is the closest thing a domain has to a passport. It tells you who claims to own it, who manages it on their behalf, when it was registered, when it expires, and which locks are currently in place. Understanding every field takes about ten minutes and saves you days of confused debugging the first time something goes wrong.
WHOIS comes from the registry (the database for the TLD itself), is presented by your
registrar (where you bought the domain), and lists the registrant
(the legal owner). The dates tell you when you can renew, when it'll expire, and when it might drop.
The Domain Status lines are the locks — they tell you what can and can't be done to the
domain right now. Always know your abuse contact before you need it.
The three parties on every record
The single biggest source of confusion when people first read a WHOIS record is mixing up the three organisations involved. You bought a domain from one company, that company is reporting to a second company, who runs the master database for the whole TLD. Each of them shows up in WHOIS, and each one means something different.
You buy a domain from a registrar; the registrar reports the registration to the registry that runs the TLD.
The registry is the company contractually responsible for the TLD itself. Verisign runs
.com and .net. The Public Interest Registry runs .org. Every TLD has
exactly one. The registry's database is the source of truth for “does this domain exist”.
The registrar is the company you actually buy the domain from. There are thousands of them — GoDaddy, Namecheap, Cloudflare, Google Domains (RIP), Porkbun. They're allowed to sell registrations for a TLD because they're accredited by ICANN and have a contract with the registry. When you change nameservers, update contact info, or renew, you do it through the registrar, who then forwards the change to the registry.
The registrant is whoever legally owns the domain. That's a person, a company, or sometimes a privacy proxy service. Registrants used to be public in WHOIS — that changed in 2018 when GDPR came in, so most consumer registrations now show a redacted-style record.
Anatomy of a WHOIS record
Here's a representative .com WHOIS record, annotated. Yours will look very similar — the
fields are standardised by ICANN for gTLDs — though ccTLDs (like .uk, .de,
.jp) sometimes use slightly different labels.
Domain Name: EXAMPLE.COM # the domain itself, always uppercase in raw whois
Registry Domain ID: 2336799_DOMAIN_COM-VRSN # registry's internal handle
Registrar WHOIS Server: whois.iana.org # where to query for full details
Registrar URL: http://res-dom.iana.org # registrar's website
Updated Date: 2024-08-14T07:01:31Z # last change to ANY field
Creation Date: 1995-08-14T04:00:00Z # first registration date
Registry Expiry Date: 2025-08-13T04:00:00Z # the date the domain falls out of "active"
Registrar: ICANN # who manages the registration on your behalf
Registrar IANA ID: 376 # registrar's accreditation number
Registrar Abuse Contact Email: abuse@iana.org # THIS is the field to know — see below
Registrar Abuse Contact Phone: +1.3103015820 # ditto
Domain Status: clientTransferProhibited https://... # EPP status — locks in place
Domain Status: serverDeleteProhibited https://... # multiple status lines are normal
Name Server: A.IANA-SERVERS.NET # authoritative DNS
Name Server: B.IANA-SERVERS.NET # (usually 2-4 listed)
DNSSEC: signedDelegation # whether DNSSEC is enabledAbout GDPR-redacted records: if you're looking at a .com
owned by an individual in the EU, you'll see most contact fields show REDACTED FOR PRIVACY instead
of names. That's not the registrar hiding anything — it's compliance with EU data law. You can still
reach the owner through the registrar's abuse address.
The dates: which ones actually matter
Three date fields appear on essentially every WHOIS record. They look interchangeable but each tells you something different:
| Field | What it actually means |
|---|---|
Creation Date |
The first time this domain was successfully registered. Doesn't reset when ownership changes — a domain registered in 1998 and sold ten times still shows 1998. Useful for: spotting an old, established domain vs. a freshly registered one. Phishing domains are almost always brand new. |
Updated Date |
The last time anything on the record changed — nameservers, contact info, status, renewal. Doesn't tell you what changed, just when. If a domain you own shows an unexpected updated date, that's worth investigating immediately. |
Registry Expiry Date |
The date the domain stops working unless renewed. After this date the domain enters a 30-day grace period (during which the owner can still renew at normal price), then a 30-day redemption period (renew at penalty pricing), then drops back into the public pool. |
Renewal misconception: a lot of people assume their domain auto-renews on the expiry date. It usually does — if the credit card on file at the registrar still works. A surprising number of outages come from a card that expired six months before the domain did. Check the registrar dashboard, not the WHOIS record.
EPP status codes: the locks on the door
The Domain Status lines are arguably the most important fields in a WHOIS record and also the most
cryptic. Each one is an EPP status code — a flag in the registry's database that controls what operations
are currently permitted on the domain. There are two flavours:
client*codes are set by your registrar. They can be added and removed by anyone with access to your registrar account.server*codes are set by the registry itself. They override registrar-level codes and usually require a manual process to remove.
The codes you'll see most often, and what they mean:
| Status code | What it does |
|---|---|
clientTransferProhibited | Domain can't be transferred to another registrar without first removing this lock. This is good — it's what stops someone from stealing your domain via social engineering. |
clientUpdateProhibited | Nameservers and contact info are frozen. You'll need to unlock before making DNS changes. |
clientDeleteProhibited | Domain can't be deleted. Always good to have on. |
clientHold | The registrar has pulled the domain from DNS. Site goes dark. Usually a billing dispute or abuse complaint. |
serverHold | Same as above but at the registry level. Much harder to resolve — usually involves a legal action or formal complaint. |
pendingDelete | Domain has expired and the grace and redemption periods are over. It will drop back to the public pool in 5 days. |
redemptionPeriod | Domain has expired but the owner can still rescue it — at a penalty cost (usually $80-100 in addition to the renewal fee). |
ok | No restrictions. Surprising as it sounds, this is actually a warning — it means there's nothing stopping a transfer. |
Practical rule: for any domain you care about, you should see at
least clientTransferProhibited and clientDeleteProhibited in the status list. If
you see ok instead, that means your domain is wide open — anyone with your registrar
credentials can transfer it away. Most registrars let you turn these locks on for free from the dashboard.
The abuse contact — check this before you need it
Every WHOIS record includes a Registrar Abuse Contact Email field. This is the address you'd write
to if a domain is being used for phishing, hosting malware, sending spam, or otherwise harming people. ICANN
requires registrars to respond to these reports within a defined window.
The reason this field matters even for your own domains: if your account gets compromised and your domain is being used maliciously, this is the address legitimate security researchers will write to before contacting law enforcement. Knowing what's there (and that mail to it actually reaches a human you control) is a five-minute task that pays off only when you really need it.
What FatDig shows you
Run any domain through FatDig and the report surfaces all of the above in three places:
- The tile row at the top of the Advanced Dig pulls out registrar, expiry date (with color-coded urgency), and the SSL issuer.
- The Domain Lifecycle card shows Created / Last Updated / Expires on a single timeline, plus every EPP status code as a labeled pill so you don't have to look them up.
- The full raw WHOIS is in its own card at the bottom of the report — tap “Copy raw” to grab the whole thing for an audit log.
Try it on FatDig: run icann.org through the Advanced Dig — you'll see a textbook example of an old, properly locked, healthy WHOIS record. Then run a brand-new domain you've registered yourself and compare. The difference jumps out immediately.