The gTLD Explosion and What It Did to Brand Protection

For most of internet history, brand protection in the domain namespace was manageable. You registered your brand in .com. You grabbed .net and .org to be safe. You registered your country code TLD if you operated in that market. Maybe .info and .biz if you were thorough. Twenty-two TLDs in total, give or take, and a handful of those were genuinely relevant.

Then in 2012, ICANN started delegating new generic TLDs. By the time the first round finished, approximately 1,200 new extensions had been added to the root zone.

I was at EuroDNS during all of it. As a registrar, we processed registrations across these new TLDs from day one. We saw who was buying brand-matching strings, and it wasn't mostly the brands themselves.

What ICANN Said Would Happen

The theory behind the new gTLD program was reasonable on its face: the internet was running out of good .com names, new TLDs would create more meaningful namespace options, and competition among registries would drive down prices and improve services.

From a brand protection perspective, ICANN also built in safeguards. The Trademark Clearinghouse (TMCH) would let trademark holders register their marks and get priority access during Sunrise periods. The Uniform Rapid Suspension system (URS) would give a faster, cheaper enforcement mechanism. Registries were required to implement rights protection mechanisms.

The safeguards were real. They're used, and they work, to a point. But the broader promise, that brands would have workable tools to manage 1,200 TLDs without dramatically increasing their protection costs, turned out to be optimistic.

What Actually Happened

The monitoring surface changed permanently. Before 2012, a brand protection team could watch 22 TLDs with a combination of manual checks and basic automated alerts. After, that same team faced 1,200+ TLDs, each with its own registry, its own registration policies, its own abuse contact procedures, and its own WHOIS data quality.

The registration volumes in new TLDs were lower than .com, most new gTLDs have tens of thousands of registrations rather than millions, but the abuse patterns arrived anyway. Squatters registered brand strings speculatively. Competitors registered brand-adjacent strings in industry-specific TLDs (.shop, .store, .tech). Phishing campaigns started using new TLD domains because they were cheap and sometimes looked plausible to consumers.

At EuroDNS, we saw an entire sub-industry emerge: domain investors who registered brand strings across dozens of new TLDs and then waited for the brand to contact them. Some of these investors were sophisticated enough to register in Sunrise periods using questionable trademark claims. That particular practice gets its own case study in Lesson 06.

The Adaptation Gap

Here's the part that I find genuinely frustrating when I look back on it: the brands that could afford to react quickly, the Fortune 500 companies with IP teams, outside counsel, and monitoring budgets, adapted reasonably well. They enrolled in TMCH, they used Sunrise periods, they expanded their monitoring tools.

The brands that couldn't afford to react, mid-sized companies, regional companies, brands with real trademark rights but limited legal budgets, mostly didn't change what they were doing. They kept managing the ~20 TLDs they knew, and they started discovering new infringement on new TLDs only when someone forwarded them a suspicious email or a customer complained.

In 2024, the situation hasn't fundamentally changed. I talk to brand managers who are still treating their domain monitoring strategy as if it's 2010. They know the problem exists, but the scale is paralyzing: 1,200 TLDs feels like a lot, the costs are real, and the guidance they've received has often been either "register everything" (expensive and unnecessary) or "don't worry about it" (demonstrably wrong).

This module is for those brand managers. The goal isn't to frighten you into buying more domains. It's to give you a realistic framework for making decisions with actual numbers attached.

Why the Monitoring Change Mattered More Than the Legal Change

When brands and their lawyers talk about the gTLD expansion, they mostly talk about UDRP and TMCH and URS. The legal tools. Those matter, but the more fundamental change was operational: you can no longer know what you don't know without automated monitoring.

Before 2012, if someone registered your brand in .shop, you'd have noticed because you were checking .shop. There were only 22 TLDs to check. After 2012, the only way to find out that yourbrand.store just got registered and pointed at a phishing page is if something is watching yourbrand.store for you.

That shift, from "manageable with human attention" to "requires automation to even know the problem exists", is the structural change that brands underestimated. Legal tools are useful once you know about an infringement. Monitoring is what tells you the infringement exists.

The tools have gotten better. DNSDB, DomainTools, and platforms like X-RAY at EBRAND now do passive DNS monitoring, new registration alerts, and content analysis across the expanded namespace. None of them are cheap. But the alternative, discovering your brand was used for a phishing campaign three months after it started, is more expensive.

Key Takeaways

Before 2012: ~22 TLDs to watch, manageable with limited resources. After 2012: 1,200+ TLDs requiring automated monitoring.
ICANN built real safeguards (TMCH, URS, Sunrise periods), but they require brands to actively use them. Passive brands don't benefit.
The brands that adapted well were the ones with existing IP budgets. Most mid-sized companies haven't fundamentally changed their approach.
The structural change isn't primarily legal, it's operational. You can't manually monitor 1,200 TLDs. If you're not running automated monitoring, you're finding out about infringement from customers, not from your own processes.
"Register more domains" is not a complete strategy. Monitoring and reactive enforcement often make more economic sense than blanket defensive registration.

Up Next

Lesson 02: The three specific challenges that make brand protection harder in the new gTLD era, monitoring at scale, the evolution of typosquatting, and what happens when a competitor registers your brand name in a TLD you ignored.