Software Development

Web applications, mobile, e-commerce and custom software projects.

ReactNode.jsMobile

SEO & Optimization

Organic traffic growth, technical SEO, content strategy and analytics.

Technical SEOContentAnalytics

API & Integration

REST API, webhook infrastructure, payment and shipping integrations.

REST APIWebhookOAuth
View all services Get free consultation

Web Hosting

cPanel management panel, SSD storage, free SSL certificate

Get a Quote

VPS Server

NVMe SSD, full root access, DDoS protection included

Get a Quote
Popular

Dedicated Server

Fully dedicated physical server, unlimited traffic

Get a Quote

Domain & SSL

Domain registration, transfer and Wildcard SSL certificates

Get a Quote

Why KEYDAL?

  • 99.9% uptime guarantee
  • Istanbul data center
  • 24/7 support
  • Free migration service
Get a quote

Projelerimiz

kSvSecurity, kAI, kMusic ve daha fazlası.

About Us

Meet KEYDAL. Our vision, team and journey.

Contact

Tell us about your project, get a custom quote.
Contracts
Privacy Policy Terms of Service SLA Agreement Data Protection Notice Cookie Policy
01 Home
Software Development SEO & Optimization API & Integration
Web Hosting VPS Server Dedicated Server Domain & SSL
04 KEYDAL Projects 05 Tools 06 Blog
About Us Contact Contracts
Get a Quote
Blog / domain

Domain Transfer Guide 2026: Steps, Duration, Auth Code and Cost

pillar 27 min read May 2, 2026
Founder of KEYDAL · Full-stack developer

Keeping a domain at the same registrar for years is usually less about laziness and more about the transfer process being a black box. Domain transfer — moving a domain name from its current registrar to a new one — is, when done right, a 5-7 day operation with zero downtime that gifts you an additional year of registration on most TLDs. When done wrong, it produces a lost domain, intermittent email, years of WHOIS confusion, and sometimes losses that can never be recovered. This guide walks through every layer of the transfer — from ICANN policy to TRABIS-specific rules, from generating an EPP code to migrating DNS and SSL — with real commands and real price ranges.

Related guides: What is a domain name, WHOIS lookup · Domain lookup tools: WHOIS, RDAP and DNS · What is DNS, how to change settings · Free SSL with Let's Encrypt · What is hosting, types and how to choose

What Is a Domain Transfer, and What Is It Confused With

A domain registration is, at its core, just a database entry. The record showing you "own" the name lives in the system of one of the hundreds of registrars accredited by ICANN; that registrar in turn connects to registry operators like Verisign or PIR for gTLDs such as.com,.net and.org. Domain transfer is the name given to the process of moving that record from one registrar to another. In Turkish, the same operation goes by several names — alan adı transferi, alan adı taşıma, domain taşıma, domain aktarma, alan adı devri. Industry usage sometimes slices "alan adı devri" toward an ownership change while "transfer" leans toward a registrar change. Throughout this guide, transfer is used in ICANN's official sense, framed by the "Inter-Registrar Transfer Policy (IRTP)."

Before you start a transfer, it pays to clarify three operations that are constantly conflated; many users say "transfer" when they mean something completely different, and end up filling out the wrong form.

  • Registrar transfer (the actual transfer): The company holding the domain registration changes. Requires an EPP code, an unlocked registrar lock and an approval email. This is the focus of this article.
  • Registrant change (ownership change): The domain stays at the same registrar but the owner's personal/company information changes. ICANN issued a separate "Change of Registrant" policy for this in 2016; for.com.tr/.tr it's a separate process via TRABIS.
  • DNS / hosting change: Only the NS records are pointed to a new hosting provider. The registrar stays the same, the owner stays the same. This isn't a transfer; it's just a DNS update.
  • URL transfer: Colloquially, moving a website's content to new hosting. Not a domain transfer; that's a hosting migration.
  • Push (account change): Moving a domain to a different account inside the same registrar. Not subject to ICANN transfer rules, completes in seconds, doesn't trigger a 60-day lock, and is free.

The Policy Behind Transfers: ICANN IRTP and the 60-Day Rules

Transfers of gTLD domains are governed by the ICANN Transfer Policy. In effect since 2016, this policy binds every generic TLD (.com,.net,.org,.info,.biz,.io,.dev,.app,.xyz,.online and so on). Country-code TLDs (.tr,.de,.uk,.fr) follow each country's own registry rules. The policy rests on three pillars: FOA (Form of Authorization) — the registrant's electronic approval; auth code (EPP code) — a one-time, unique secret identifying the domain; and 60-day locks — security waiting periods that prevent back-to-back transfers after a new registration or change.

The 60-day rule kicks in three different ways: (1) 60 days after a new registration — a freshly registered domain cannot be moved to another registrar for the first 60 days; this exists to deter speculators and payment fraud. (2) 60 days after a previous transfer — a domain cannot be transferred again within 60 days of a completed transfer. (3) 60 days after an owner / email change — when the registrant's name, surname, organization or email changes, a fresh 60-day transfer lock kicks in (unless the user opts out). The smartest move when planning a transfer is to leave registrant data alone for the 60 days leading up to it.

EPP / Auth Code: The Key to the Transfer

EPP code (Extensible Provisioning Protocol — RFC 5731 and successors) is the protocol modern registries speak. Auth code, EPP code, AuthInfo, transfer code, transfer password, authorization code — all the same thing under different names. The code is an 8-32 character unique token that identifies the domain and only ever passes between the losing registrar's internal panel and the gaining registrar; it never appears in public WHOIS. Dropping an auth code into WHOIS, an email, or a Slack channel is functionally equivalent to surrendering the domain. Use it the moment you receive it; if unused, most registrars auto-invalidate it within 30-90 days. Some registries (Nominet for.uk, for example) rotate the code on their own after a single use.

The typical flow for getting an auth code: log into your current registrar's panel, select the domain, click "Request EPP code" / "Transfer code request," and the code is either shown in the panel or emailed to the registrant. Some registrars hand it over in seconds; others run a 24-72 hour manual approval. Stalling is against ICANN policy and can be reported to ICANN Compliance. When copying the auth code, remember three rules: check for leading/trailing spaces (a copy-paste error is the single most common reason ICANN rejects a transfer), don't paste it into logged channels, and use it within 24 hours of receiving it.

Registrar Lock: clientTransferProhibited

Most registrars automatically apply a clientTransferProhibited flag to your domain after registration. This is a status code defined by the EPP protocol meaning "the client registrar does not allow transfers." It's not malicious — it's an extra key against an attacker who has compromised your account. Before you start the transfer, you must turn off whatever the panel calls it: Registrar Lock, Domain Lock, Theft Protection or Transfer Lock. Otherwise, even if the gaining registrar submits the request, the registry rejects it and an error message lands in your panel within minutes.

  • clientTransferProhibited — lock applied by the registrar; you can lift it.
  • serverTransferProhibited — lock applied by the registry; usually applied after ICANN-level disputes.
  • clientHold — domain pulled from DNS; payment issues or fraud suspicion etc., must be resolved before transfer.
  • pendingTransfer — a transfer is already in flight; you must let it finish or cancel it.
  • redemptionPeriod — domain has expired and is in redemption; cannot be transferred, must first be renewed at the old registrar.
  • pendingDelete — domain is being deleted; transfer is impossible, you can only wait.
  • ok — domain is active and ready to transfer.

The Transfer Process Step by Step

On paper a transfer looks like four steps, but the details are easy to get wrong. The sequence below works (with minor differences) for both gTLDs like.com and.com.tr/.tr. In order: (1) Preparation — update WHOIS, check the 60-day window, lift the registrar lock, get the auth code. (2) Submission — go to the new registrar's transfer page, enter the domain + auth code, pay. (3) Approval (FOA) — the gaining registrar emails an FOA link to the registrant; click and approve. For.tr/.com.tr this step is handled via TRABIS through authcode verification. (4) Completion — if the losing registrar doesn't object within 5 days, the registry completes the transfer automatically.

Verify the status after each step. WHOIS refreshes 5-30 minutes after lifting the lock; clientTransferProhibited should disappear. Use the auth code within the first 24 hours after generating it. If you manually approve the FOA email, you skip the 5-day waiting window and the transfer wraps up in 24-48 hours. If you do nothing — neither approve nor reject — the transfer auto-completes at the end of day 5 under ICANN's "auto-approval" rule.

Turkey-Specific: TRABIS and the.tr /.com.tr Transfer

In Turkey,.tr-suffixed names (.com.tr,.net.tr,.org.tr,.biz.tr,.info.tr, and second-level.tr from 14 September 2022 onward) run through TRABIS (the Turkish Domain Names Information System) operated by the BTK. Before September 2022,.tr names were managed by Nic.tr (METU); the transition moved everything onto a modern EPP infrastructure with proper registrar independence. For the legal framework see BTK Internet Domain Names. Transfers happen between roughly 60 BTK-accredited registry operators (registrars). The losing registrar gives you an authcode (in TRABIS parlance, a "yetkilendirme kodu"). The gaining registrar uses it to file the request with TRABIS. The process must complete within 7 days by policy; in practice, 24-72 hours.

  • Documentation-free.com.tr: Since 14 September 2022, the document requirement for.com.tr has been removed. The system used to demand a trade registry gazette / trademark certificate; today, name and surname or company information is enough.
  • Second-level.tr: Opened on 14 September 2022. Companies that already held the matching.com.tr could claim the.tr equivalent during a priority window; afterwards, first-come-first-served.
  • Transfer fees (approximate, 2026):.com.tr averages 80-150 TL (around $3-5 USD);.tr averages 200-400 TL (around $7-13 USD);.net.tr /.org.tr 50-90 TL (around $2-3 USD). Varies by provider, exchange rate and promotions.
  • Duration: TRABIS policy disallows transfers of inactive domains; after expiry there's a 30-day renewal window.
  • Owner change: Under TRABIS, registrar transfer and owner change are different operations. Changing the owner requires a notarized assignment document or e-signed transfer form.
  • No push: TRABIS doesn't support intra-registrar pushes between accounts; you either do a registrar transfer or an owner change.

For the registration logic of.com.tr and.tr in detail, see our what is a domain name, WHOIS lookup guide.

Transfer Quirks of Other Common TLDs

Each TLD has its own registry rules, transfer windows and approval mechanisms. .com /.net /.org follow the ICANN IRTP standard exactly: 5-day FOA window, easy transfer with auth code. .io /.ai /.co support standard EPP transfers but renewals are expensive; the year added by the transfer can be costly. .dev /.app /.page are operated by Google Registry; HSTS preload makes them unreachable without HTTPS. .uk /.co.uk sit under Nominet; instead of an auth code, registrar changes happen by updating the IPS-TAG. .de runs on DENIC; AuthInfo is 4-32 characters and can be regenerated within 60 seconds if invalidated. .eu is operated by EURid; standard EPP, EU-country address required. .fr AFNIC, .es Red.es; both may require a local presence.

How Much Does a Transfer Cost, and How Is It Calculated

At most registrars, the transfer fee is identical to the current renewal fee. That's by design: ICANN policy requires the gaining registrar to add a year of registration to the domain during transfer (you always gain at least one year). So the "transfer fee" is really "one year of additional registration"; registrars who don't tack on extra margin charge their renewal price. Typical 2026 mid-year ranges (approximate, varies by provider, exchange rate and promotions):

  • .com transfer: roughly $8-15 USD. Verisign's batch fee (~$10.26 USD) is fixed for every registrar; registrar margin sits on top.
  • .net: roughly $10-15 USD.
  • .org: roughly $11-18 USD.
  • .io: roughly $35-60 USD — high registry cost.
  • .dev /.app: roughly $10-15 USD.
  • .com.tr: roughly 80-150 TL (around $3-5 USD).
  • .tr (second level): roughly 200-400 TL (around $7-13 USD).
  • .net.tr /.org.tr: roughly 50-90 TL (around $2-3 USD).

Hunting for the "cheapest domain transfer" usually doesn't pay. Trading panel quality, DNS speed or support SLA for a 1-2% price difference costs you more in the long run. Fake bargains hide in: post-coupon renewal prices that jump 4-5x, hidden WHOIS privacy fees, transfer-out fees (charged when you try to leave), or "auth code retrieval" fees (banned by ICANN, but some providers still charge them). "Domain transfer promotions" cluster around Black Friday, year-end and industry conferences. The fine print under offers like "$1.99 USD.com transfer": Verisign keeps the batch fee, the registrar writes off the difference as marketing, and they're betting on retention for 4-5 years. Promotion windows are a great fit for 5+ year batch transfers; long-term locks are the smartest play.

How Long Does a Domain Transfer Take

A standard gTLD transfer wraps up in 5 days. That's no coincidence — it's a direct consequence of ICANN policy. The flow: at hour 0, the gaining registrar starts the transfer, takes payment, and emails the FOA to the registrant. Between hours 0-72, the registrant clicks the FOA link and approves (no manual approval = auto-approved at the end of day 5). Between hours 0-120 (5 days), the losing registrar can NACK (reject) the transfer; valid rejection reasons are domain locked, recently registered, fraud suspicion, or payment problem. At hour 120 (day 5), if no NACK arrived, the registry auto-approves the transfer. Between hours 120-168, WHOIS updates on the gaining registrar's side and the domain shows up in the panel.

Manually approving the FOA shortens the wait to 24-48 hours. For.tr/.com.tr, TRABIS is fast; most transfers complete in 4-24 hours because entering the authcode is treated as registrant proof at the same moment. In different models like.uk, an IPS-TAG change happens in seconds, but ownership doesn't move.

Will My Site Go Down During the Transfer

A properly executed transfer has no downtime. The reason becomes clear once you look at what the transfer actually moves — only the registrar information, i.e. "which company manages this domain." The DNS servers (NS records), and therefore A/AAAA/MX records, never change at any point during the transfer. Downtime risk arises when: you were using the old registrar's own DNS service (e.g. ns1.oldregistrar.com) and they shut it down post-transfer; you changed NS records during the transfer, leaving old caches with the old NS and new caches with the new NS — split-brain; the old registrar was providing your email service (registrar mail) and the mailbox got deleted with the transfer. The fix: gain DNS independence before transferring (Cloudflare DNS, AWS Route 53, your own BIND), do the NS change either 1 week before or 1 week after the transfer, and move email to a separate mail provider.

Preparation and Information Verification

The single most critical pre-transfer task is verifying WHOIS. ICANN requires that the FOA link reach a working email account. If the registrant email points to an old work address, a closed corporate inbox or a Gmail account you no longer access, the transfer will never complete. Check the registrant email with whois example.com | grep -i 'registrant.*email' or curl -s https://rdap.org/domain/example.com | jq. Post-GDPR, gTLD WHOIS frequently shows the email as REDACTED; in that case log into the registrar panel to verify. Send a test message and confirm it lands. If you don't have access, change the registrant BEFORE the transfer — but careful: a registrant change triggers the 60-day transfer lock; check the "don't apply the 60-day transfer lock for this change" opt-out box when it appears.

Lifting the Lock, Getting the Auth Code, Submitting the Request

Log into your current registrar's panel, pick the domain, and find Registrar Lock / Theft Protection / Transfer Lock. Some interfaces ask for two-factor confirmation; you'll need a code from SMS or an authenticator app. Confirm the lock is off with whois example.com | grep -i 'Domain Status' — expected output: Domain Status: ok. If "client transfer prohibited" still shows up: wait for WHOIS to update (~30 minutes), then if it persists, open a ticket with registrar support.

Next, find the "Transfer Code," "Request EPP Code," "Auth Code," or "Authorization Code" button. Clicking either shows the code in the panel or emails it to the registrant. Head to the new registrar's transfer page: a typical form takes domain + auth code + payment. Once payment is processed, the gaining registrar sends a transfer request to the registry, which opens the 5-day objection window for the losing registrar.

The FOA Email and Losing Registrar's Approval

The gaining registrar sends a Form of Authorization (FOA) email to the registrant. It contains "Approve transfer / Cancel" links. Check your spam folder — the sender is usually transfer@registrar.com or similar. Clicking approve drops the 5-day wait; the transfer completes within 24 hours. Some losing registrars give you an "Approve" button under a "Pending transfer" section in their own panel as a way to speed things up. Clicking it lifts the 5-day window from their side; the transfer wraps up in minutes. If you'd rather not click, just wait. Note that they have the right to NACK (reject) during this wait window; a NACK without valid grounds is grounds for an ICANN complaint.

Post-Transfer: DNS, Mail and SSL

Once the transfer is complete, the domain shows up in the new registrar's panel. From here, check three separate systems: DNS (NS records) — if you were using the old registrar's DNS, import the zone into an independent DNS provider; do the NS change 1 week after the transfer. Email (MX records) — if your MX records didn't change, email keeps flowing without interruption; if you were using the old registrar's mail service, move to a dedicated email provider. SSL certificate — the certificate is bound to the domain, not the registrar; the transfer doesn't affect it. If you use Let's Encrypt, renewals continue automatically. WHOIS Privacy — privacy was on at the old registrar but may not auto-enable at the new one; turn it back on from the panel. Auto-renew — enable auto-renewal at the new registrar and add a payment method.

Bulk Transfer: Moving Many Domains at Once

If you have 50+ domains, transferring them one at a time is both a time sink and a source of mistakes. Most large registrars offer a bulk transfer tool: upload a CSV with domain,authcode rows and kick off a batch transfer in one shot.

Practical bulk-transfer rules: start with domains tied to the same registrant email — FOA emails arrive in clusters. Spread the transfer over 5-10 batches with 1-hour intervals; if every email lands the same second, it's easy to miss one. Save the most critical domains for last; let the early batches confirm the process is smooth. A 3-7% bulk discount is usually applied automatically; manual negotiation can push it to 10-15%.

Why Transfers Get Rejected and EPP Error Codes

When the losing registrar NACKs a transfer, the gaining registrar surfaces the reason with an EPP Error Code. ICANN policy defines a finite list of valid rejection reasons — invalid rejections can be reported.

  • EPP 2105 — Object Status Prohibits Operation: Domain locked. Fix: lift the registrar lock.
  • EPP 2202 — Invalid Authorization Information: Auth code is wrong. Fix: regenerate it, check for leading/trailing whitespace.
  • EPP 2304 — Object Status Prohibits Operation: 60-day rule or pendingDelete. Fix: wait, or rescue the domain from redemption.
  • EPP 2305 — Object Association Prohibits Operation: Domain is associated with another account (e.g. inside a shared hosting package). Fix: break the association.
  • EPP 2400 — Command Failed: Generic error. Email the registrar for log details.
  • EPP 2308 — Data Management Policy Violation: Verisign or registry-level flag. Usually fraud suspicion or a UDRP process.

If the losing registrar rejects the transfer without justification, you can file a formal complaint via the ICANN Compliance Portal. The complaint takes 30-60 days; ICANN demands an explanation from the registrar, and if the response is unsatisfactory, transfer dispute resolution can be invoked to force the move. In most cases, simply learning that a formal complaint exists is enough for the registrar to release the domain voluntarily.

Transferring When the Domain Is About to Expire

Starting a transfer with fewer than 15 days until expiry is risky. If the losing registrar lets the domain expire during the wait, the transfer auto-cancels and the domain enters redemption. Recovering from redemption costs an extra $80-200 USD. Practical rule: start transfers with 30+ days remaining. If you're cutting it close, renew at the old registrar first, then transfer. Renewing adds a year; the transfer adds another year — you walk away with two years of registration.

If auto-renew is on at the old registrar and you've already filed a transfer, the old registrar can auto-renew during the transfer process. In that case, you'll be charged for one year of renewal there, and when the transfer completes, the new registrar adds another year — you've moved 2 years forward, but you've paid two different parties. Fix: turn off auto-renew at the old registrar 24-48 hours before starting the transfer. Most users forget and end up paying twice; refunds are usually denied because the "service was rendered."

WHOIS, Privacy and Transfers After GDPR

Since GDPR came into force in May 2018, personal data in gTLD WHOIS records has been largely REDACTED. The registrant's name, email and phone number no longer appear in public WHOIS; instead a contact form link routes through the registrar's email. For transfers this means the FOA email still reaches the registrant — the registrar holds the real email internally and just doesn't expose it. Some registrars offer free WHOIS privacy (Cloudflare, Namecheap, Hover); others charge for it. Disable privacy right before the transfer — with privacy on, some registrars route the FOA email to a dummy address that never reaches the registrant. After the transfer completes, re-enable privacy at the new registrar.

The Right Order for a Hosting Migration and Domain Transfer

A domain transfer and a hosting migration are often attempted at the same time. The temptation of "handle it all at once" is real, but the risk is higher — when something fails, it's hard to tell which layer broke. Recommended order: (1) Stand up the new hosting, copy files, import the database, test locally with a hosts file. (2) Point DNS at the new IP (drop TTL to 300 a week before the transfer for fast propagation). (3) After propagation completes, do the domain transfer in a separate week. With this sequence, when something breaks, you know exactly which step to roll back.

For the technical side of hosting migration, see our what is hosting, types and how to choose guide together with how to build a website.

DNSSEC, DNS Migration and TTL Strategy

Be careful when transferring a DNSSEC-enabled domain. DS records get removed at the registry level during the transfer, or the new registrar may not support your signing keys. Mismatched DNSSEC makes the domain completely unreachable in browsers — "DNSSEC validation failed." Safe migration: turn DNSSEC off at the old registrar (deletes the DS records at the registry), wait 24-48 hours (for TTLs to expire), start the transfer, then re-enable DNSSEC at the new registrar. If the new registrar supports Multi-Signer DNSSEC, an atomic switch is possible.

Every DNS resolver caches answers for the duration of the TTL. Default TTLs run from 1 hour (3600s) to 4 hours (14400s). Drop the TTL to 300 (5 minutes) before the transfer and any DNS change after the transfer propagates worldwide in 5 minutes. If you also plan to move DNS to an independent provider after the transfer, you'll need a zone export/import. Most registrars expose a BIND zone file (RFC 1035) export.

During import, the new provider updates the SOA serial automatically. Test SPF, DKIM, DMARC and MX records — anything email-critical — first; one missing character will break mail delivery. For DNS specifics see what is DNS, how to change settings.

Most Common Scenarios

I lost my domain. Can I get it back?

For "domain hijacking" or account compromise, contact registrar support immediately and request account recovery + domain recovery. If the hijacking happened within 60 days, ICANN's Transfer Dispute Resolution Policy (TDRP) can claw it back. Older hijackings go through the courts; for arbitration, WIPO globally or in Turkey the TRABIS Dispute Resolution Service Providers (UÇHS).

My domain expired and I'm in redemption — can I transfer?

No. Domains in redemptionPeriod and pendingDelete can't be transferred. First pay the redemption fee at the old registrar to restore the domain (typically $80-200 USD for gTLDs); then start the transfer. Redemption lasts 30 days; pendingDelete follows for 5 days; after that the domain is released for anyone to register.

I paid but the transfer hasn't started — what now?

If a transfer status hasn't appeared in the gaining registrar's panel within an hour: re-check the auth code, check spam for the FOA email, open a support ticket. Some registrars run manual fraud review; that can take 4-24 hours.

Will a transfer affect my SEO ranking?

The SEO impact of a domain transfer is zero. Google ties identifying signals (backlink profile, content history, E-E-A-T) to the domain itself, not the registrar. Same domain, same content, same IP — nothing changes for Google. For SEO discipline see our site optimization and technical SEO checklist 2026 guides.

Can I cancel a transfer?

If you started a transfer by mistake, you can cancel within the 5-day FOA window: click "reject" in the FOA email; request "Cancel transfer" from the new registrar's panel; or click "Reject pending transfer" in the old registrar's panel. After cancellation, most registrars refund the transfer fee.

E-commerce, Multi-TLD and Premium Domains

E-commerce sites need extra care during transfer: payment integrations (iyzico, PayTR, Stripe) use API keys tied to the domain. As long as DNS doesn't change, those integrations are unaffected, but webhooks travel over HTTPS and can break alongside SSL transitions. Test webhooks, verify 3D Secure callback URLs, keep OAuth callbacks whitelisted. CDN integrations (Cloudflare, Bunny CDN) work via nameserver or CNAME, so the transfer leaves them alone. For e-commerce SEO, see our e-commerce SEO guide and Core Web Vitals 2026.

When transferring your brand's.com, also think about the matching.com.tr,.net,.org,.net.tr,.biz and.info. Defensive registration matters: bad actors can register typo variants or different TLDs of your brand for phishing/typosquatting. Practical strategy: consolidate 5-7 critical TLDs of your main name at one registrar, lock with at least 5 years of registration, enable auto-renew. Premium domains (short or popular dictionary words sold by the registry at a markup) play by different transfer rules — premium renewal can be 5-50x normal renewal. Compare renewal pricing across two registrars before transferring.

IDN and Punycode Domains

Domains with Turkish characters (e.g. çanakkale.com.tr) or any non-ASCII alphabet are stored in DNS in Punycode, per the IDN (Internationalized Domain Names) standard. çanakkale.com.tr is actually registered as xn--anakkale-iqb.com.tr (RFC 3492). The auth code is processed against the Punycode form during transfer — even if you type Turkish characters into the registrar panel, everything happens in Punycode under the hood.

Post-Transfer Verification Checklist

Walk through the list below once the transfer completes. Each item takes 30 seconds, and catching errors early means fixing them instantly.

  • WHOIS / RDAP: Does whois example.com show the new registrar's name?
  • NS records: Does dig example.com NS return the expected servers?
  • A / AAAA records: Is the main site IP correct? dig example.com A +short
  • MX records: Are email MX records intact?
  • SPF / DKIM / DMARC: Does dig example.com TXT return all expected email auth records?
  • HTTPS: Does https://example.com load without a certificate error in the browser?
  • WHOIS Privacy: Is privacy enabled at the new registrar?
  • Auto-renew: Is auto-renew on at the new registrar, with a payment method on file?
  • 2FA: Is two-factor authentication enabled on the new registrar account?
  • Log out of the old registrar: Close the old account, remove payment methods, request account deletion (wait 3-6 months).
  • DNS propagation check: Verify global propagation via whatsmydns.net.

Domain Transfer Automation: Using the API

For 100+ domain portfolios, opening the panel by hand is a waste of time. Most large registrars offer an API — starting transfers, polling status, approving FOAs, all programmatic. Typical APIs at ICANN-accredited registrars are RESTful JSON; some registrars expose direct EPP RFC over an XML socket.

When working with the API, never commit the token to a repo; use environment variables or a secret manager (HashiCorp Vault, AWS Secrets Manager). Watch the rate limits; typical registrar APIs allow 5-20 requests per second, and throttling is mandatory for bulk transfers.

Two-Factor Authentication and Registry Lock

For high-value domains, the single most important step in protecting the registrar account is 2FA. SMS 2FA is open to SIM-swap attacks; wherever possible use TOTP (Google Authenticator, Authy, 1Password) or a hardware key (YubiKey). Most modern registrars support WebAuthn/FIDO2. Extra protection layer: Registrar Lock + Registry Lock. The Registrar Lock you can lift; the Registry Lock can only be lifted by the registry, with the registrar out of the loop. Registries like Verisign, Identity Digital and Donuts offer enterprise registry lock as a service — $50-300 USD per year, used as anti-hijacking protection.

When You Should NOT Transfer

A transfer isn't always the right move. In the situations below, doing nothing is smarter:

  • Less than 14 days until expiry: High risk; renew first.
  • You changed the owner/email recently (within 60 days): The system will reject; wait it out.
  • Domain is in "pendingDelete" or "redemptionPeriod": Restore first.
  • An active UDRP / URS case: The domain is frozen; transfers are forbidden.
  • The losing registrar opened a fraud investigation: Clear the suspicion first.
  • Hosting + mail are still locked into the old registrar with no alternative in place: Gain DNS independence first.
  • The new registrar's renewal is much more expensive: Don't fall into the trap of cheap transfer pricing alone.

Multi-Owner Domains and Corporate Approvals

For domains registered to a company, a transfer can't be initiated by a single individual; most organizations require signature circulars / authorization documents. For.com.tr/.tr, TRABIS enforces this more strictly — the registrar may demand an electronic signature or notarized document during the change. Practical corporate flow: IT / digital team gets approval from leadership; the authorized accountant or legal team prepares the documents; a ticket is opened with registrar support; documents are submitted; FOA approval is given from the registered corporate email; the transfer completes within 7-15 days (1-2x the normal timeline because of corporate review).

Conclusion: With the Right Prep, a Transfer Is Painless

A domain transfer can look complicated, but most mistakes are about rushing. EPP code, registrar lock, the 60-day rule, FOA approval and DNS independence — once you understand these five concepts properly, 95% of the transfer takes care of itself. Spend time on prep, lay out the core information (registrant email, lock state, expiry date, current DNS) in a single table, verify each line. Stay in touch with the registrar and respond to the FOA email within 24 hours. For corporate portfolios, the gold standard is "single registrar, multi-level lock, auto-renew, 2FA + hardware key." Your domains are an extension of your brand — a few hours of attention each year save you from years of hunting down lost names. The shortest answer to how do I transfer a domain: get an EPP/auth code from the old registrar, lift the registrar lock, drop the domain + auth code into the new registrar's transfer form and pay, approve the FOA link in your registrant email, then wait 5-7 days. When it's done, welcome to your new registrar.

Sources

Professional support for domain transfers and DNS migrations

Get in touch with our team for secure transfers of your corporate domain portfolio, DNS propagation checks and registrar consolidation contact us

Written by

Founder and principal engineer of KEYDAL. Serving enterprise clients in hosting, software development and SEO since 2026.

Related Articles

Readers of this article also read these

domain 28 min

How to Register a Trademark in Turkey: 2026 Application, Fees and Process Guide

How to register a trademark in Turkey: 2026 fees, application steps, Nice classification, opposition, renewal and brand name protection. A comprehensive vendor-neutral guide based on TÜRKPATENT and SMK 6769.
domain 27 min

How to Buy a Domain Name from Google in 2026: Squarespace Migration, Cloud Domains and Google Registry

After Google Domains shut down, how do you buy a domain from Google or within Google's ecosystem? Comprehensive 2026 guide covering the Squarespace migration, Cloud Domains, Workspace purchase flow, Google Registry TLDs (.dev, .app, .page) and modern alternatives.
domain 28 min

How to Register a .com.tr Domain in 2026: Post-TRABİS Document-Free Allocation, Requirements and Step-by-Step Guide

How to register a .com.tr domain after TRABİS: document-free allocation rules, the entire .tr extension family, TAKIL/TAKAL reserved lists, required documents for restricted extensions, pricing ranges, transfer rules, and dispute resolution—a complete 2026 guide.
WhatsApp