The Role of Registries and Registrars

I spent a decade as CTO at a registrar. I've been on the receiving end of abuse reports, UDRP proceedings, law enforcement requests, and emergency suspension demands. I know what good registrar cooperation looks like because I tried to build it, and I know where the system breaks down because I watched it happen.

This lesson is the inside view.

What Registries Are Required to Do

Under ICANN's requirements for new gTLD registry operators, every new TLD must implement specific rights protection mechanisms:

Sunrise periods: At least 30 days before general registration opens, trademark holders registered in the TMCH must have priority access to register their marks. The registry operates the Sunrise system and is responsible for verifying eligibility.

TMCH integration: The registry must check new registration requests against the TMCH database and trigger the appropriate claims notice process. This is the automated part, it doesn't require human intervention for each registration.

URS support: The registry must implement the Uniform Rapid Suspension system, which means they're obligated to suspend domains within 24 hours of receiving a valid URS determination from an approved URS provider.

These aren't optional. They're conditions of the new gTLD contract with ICANN. Registries that don't comply face consequences ranging from compliance actions to contract termination.

The compliance landscape is imperfect but functional for the big elements. Where it degrades is in the day-to-day abuse response below the formal URS/UDRP track.

Which Registries Take Brand Protection Seriously

Not all registry operators approach rights protection with the same commitment. Based on my experience and what I've observed in the monitoring work at EBRAND, there are meaningful differences:

Identity Digital (formerly Donuts): The largest new gTLD registry operator by number of TLDs. Their Domain Protected Marks List (DPML) lets trademark holders block registration of their marks across Identity Digital's entire TLD portfolio (700+ extensions) for a single annual fee. This is a genuinely useful product for brands with broad trademark registrations. Their abuse response teams are responsive.

Radix: Operates TLDs like .online, .store, .tech, .site. Has implemented the required RPMs and generally responsive on abuse reports. Their Sunrise periods ran smoothly in my observation.

Minds + Machines: Smaller operator, but invested in rights protection tooling. Their abuse response is generally faster than average.

Less helpful registries tend to cluster around operators who are primarily focused on registration volume rather than namespace quality. Abuse reports go into queues with no acknowledgment. URS compliance timelines stretch to the limit. Escalation paths are unclear. I won't name specific operators here because the situations change, but the pattern is: if a registry's public-facing content focuses heavily on cheap bulk registrations and minimal DNS services, expect slower abuse response.

How Registrars Handle Abuse Reports

The registrar relationship is where most brand protection efforts either get traction or disappear into a black hole.

Here's the structural problem: when you file an abuse report about badactor.shop, the registry operates .shop, but the domain is registered through a registrar, which might be GoDaddy, Namecheap, a European registrar, a reseller three levels removed from anyone with authority, or any of the ~3,000 ICANN-accredited registrars worldwide. The registry and the registrar are different entities with different responsibilities.

ICANN requires registrars to maintain an abuse contact, a publicly listed email address or form where reports can be submitted. The quality of response varies enormously.

What actually gets fast action:

Reports that include specific evidence of active harm (phishing page screenshots, email headers from phishing emails, credential harvesting activity)
Reports that cite specific ICANN policy violations (WHOIS inaccuracy, proxy abuse, use of the domain for malware distribution)
Reports to registrars who have dedicated abuse teams (the larger registrars generally have this)
Reports that come with an UDRP filing number, registrars sometimes voluntarily lock domains pending UDRP resolution

What goes into the black hole:

Generic "this domain infringes my trademark" reports without evidence
Reports submitted to contact addresses that haven't been updated in years
Reports about domains registered through privacy/proxy services where the registrar claims no knowledge of the actual registrant
Reports to resellers who don't have authority to suspend domains, the authority sits with the actual accredited registrar above them

The Registrar Abuse Contact Database (RADB)

ICANN maintains a database of registrar abuse contacts at registrars.nominet.org.uk, or through ICANN's RDAP system. Most monitoring services also maintain their own registrar contact databases with tested email addresses and response time histories.

The practical tip: don't use the contact address on the registrar's public website if you can avoid it. Find the abuse contact via RDAP or WHOIS and send to that directly. Registrar abuse contacts are supposed to be monitored; the general inquiry contact on the website may not be.

For domains registered through privacy protection services, the registrar is obligated under ICANN's Temporary Specification for gTLD Registration Data to reveal the underlying registrant's contact information upon receipt of a legitimate legal request, a URS determination, or a UDRP complaint. The privacy layer doesn't block enforcement, it slows it down by one step.

Where the System Actually Breaks Down

From the inside, these are the real failure points:

The 24-hour URS clock: ICANN requires registries to suspend domains within 24 hours of a URS determination. In practice, the clock interpretation varies, some registries process within hours, others take the full 24 and occasionally longer. For an active phishing campaign, 24 hours is significant.

Reseller chains: Many domains are registered not directly with an ICANN-accredited registrar, but through a reseller of a reseller. Abuse reports sent to the reseller get forwarded, or don't. The actual suspension authority sits with the accredited registrar, which may be two or three layers removed from the visible registration interface. Tracing the chain takes time.

Slow-walking vs. compliance: There's a difference between a registrar that's genuinely trying to comply with abuse response requirements and one that's technically compliant but operationally unhelpful. The latter will acknowledge your report within the required timeframe, conduct an "investigation," and close the ticket without action. Technically compliant; practically useless. The remediation is escalation to ICANN Compliance, which takes weeks, by which time the phishing campaign has ended anyway.

The legitimate-use question: Registrars are reluctant to suspend domains proactively when there's any ambiguity about legitimate use. This is actually correct from a process standpoint, registrars aren't arbiters of trademark disputes. But it means that domains used for subtle brand abuse (competitor sites designed to create confusion, rather than obvious phishing) often don't get registrar-level action. That's what UDRP is for.

Key Takeaways

Registries are contractually required to implement Sunrise periods, TMCH integration, and URS support. The big operators (Identity Digital, Radix) generally do this well.
Identity Digital's DPML is worth knowing about, it blocks registration of your marks across 700+ TLDs for a single fee.
Registrar abuse response quality varies enormously. Evidence-backed reports with specific policy violations get faster action than generic trademark complaints.
Understand the registrar/registry distinction. The registry operates the TLD; the registrar sold the registration. Your abuse report goes to the registrar first.
Privacy protection doesn't block enforcement, it adds a step. URS and UDRP proceedings can pierce privacy protection through ICANN's required disclosure mechanisms.

Up Next

Lesson 08: What's coming next, another gTLD application round, .brand extensions, AI-generated lookalike domains, and what decentralized DNS means for enforcement. The honest version.