| Domain | Registrar Lock | Registry Lock | MFA | Alerts | Monitoring | Score | Level |
|---|---|---|---|---|---|---|---|
| brand.example | Yes | Yes | Strong | Full | Continuous | 92.0 | Hardened |
| shop.example | Yes | No | Strong | Daily | 76.8 | Strong | |
| promo.example | No | No | SMS | None | Ad-hoc | 38.7 | Critical |
- Score (0–100) = Σ(weight × factor) across ten controls.
- Locks dominate the score: registrar lock (26) and registry lock (20).
- Status coverage: transfer prohibitions are scored as a ratio (0, 0.5, 1.0) × 10.
- Control quality factors: MFA, auth-code policy, alerts, and monitoring map to factors from 0.0 to 1.0.
- Operational freshness: recent lock reviews score higher than stale reviews.
- Gather current settings from your registrar and registry dashboards.
- Confirm the active EPP statuses for transfer prohibitions.
- Enter your MFA type, alerting coverage, admin count, and review age.
- Press Calculate Score to see results above the form.
- Use the recommendations list to plan hardening actions.
- Download CSV or PDF to store evidence for audits.
Why registrar locks matter for domain control
Locking reduces transfer fraud exposure
Unauthorized domain transfers usually start with control-plane access: compromised registrar credentials, social engineering of support, or abuse of weak approval steps. Registrar lock and transfer-prohibited statuses add friction by blocking routine transfer paths and forcing intentional unlock workflows. In this calculator, lock controls carry 46 points because they directly prevent the fastest theft scenarios at scale.
Registry lock adds out-of-band verification
Registry lock is designed for high-value domains where downtime or takeover would be material. It typically requires a separate, verified process to remove protections, making it harder for a single compromised account to trigger changes. The model assigns 20 points to registry lock to reflect that added independence and stronger human verification.
Auth-code discipline closes common gaps
Auth codes are not equal. A strict policy uses one-time codes, identity checks, and a documented release process, while weak approaches reuse codes or expose them to multiple admins. The calculator maps auth-code policy to a factor up to 1.0 and weights it at eight points, encouraging consistent issuance and controlled disclosure.
Account safeguards and alerts improve detection
Strong MFA and multi-channel change alerts reduce the chance that a stolen password becomes a silent takeover. App or hardware MFA scores highest, while SMS receives partial credit because it can be targeted by SIM-swap attacks. Alerts that create tickets or approvals score better than email-only notifications, improving response time and evidence quality.
Operational hygiene keeps protections effective
Controls degrade when admin lists grow, reviews stop, or monitoring becomes ad-hoc. This tool rewards least-privilege admin counts, recent lock reviews, DNSSEC adoption, and continuous monitoring for DNS or registrar changes. Use the score trend across quarterly reviews to prove improvement and to prioritize registry lock for your most critical domains.
Treat the score as a governance metric, not a one-time test. Capture screenshots or ticket IDs for lock enablement, MFA enrollment, and alert routing, then export CSV or PDF to attach to change records. If your score drops after staffing changes or vendor migrations, investigate access paths and revalidate EPP statuses. For portfolio management, classify domains by business impact and enforce higher minimum scores for payment, login, and brand domains.
1) Is registrar lock the same as registry lock?
They are different layers. Registrar lock is managed at your registrar. Registry lock adds an extra verification step at the registry level, typically requiring out-of-band approval before critical changes are allowed.
2) What do clientTransferProhibited and serverTransferProhibited mean?
They are EPP status flags. “Client” is set by the registrar, while “server” is set by the registry. Having both active generally provides broader transfer blocking coverage and fewer accidental gaps.
3) Why does strong MFA score higher than SMS?
App or hardware MFA is harder to intercept remotely. SMS can be abused through SIM swaps, number porting, or carrier support manipulation. This calculator reflects that difference with a stronger factor for app or hardware methods.
4) How often should we review lock and contact settings?
Monthly is a practical baseline for important domains, and quarterly at minimum for the full portfolio. Review immediately after staffing changes, registrar migrations, or any suspicious login alerts.
5) Does DNSSEC prevent domain transfer attacks?
No. DNSSEC primarily protects DNS integrity and reduces spoofing or cache poisoning impacts. It complements locks by protecting resolution, but it does not stop registrar-side transfers or account compromise.
6) What score should we target for business-critical domains?
Aim for 85+ to reach the Hardened band. That typically means registrar lock, registry lock, strong MFA, verified auth-code release, multi-channel alerts, and continuous monitoring for DNS and registrar changes.