Squarespace recently announced that they are acquiring Google Domains from Alphabet. While this is surprising and potentially concerning for some, you need to understand what’s going to happen to your domain names and how you can keep them safe. A lot of the information provided here is applicable to keeping your domain names safe regardless of whether or not your domain names are currently registered with Google Domains.
What We Know
According to the announcement, Squarespace is acquiring Google Domains’ registrar business for $180 million dollars. It’s been reported, by Domain Name Wire, that “JPMorgan Chase Bank is providing financing for part of the purchase.”
Google Domains is the 4th largest domain name registrar, with about 8 million domain names registered:
We did a quick analysis, and this means that Squarespace paid about $21.90 per domain name (more or less). This is interesting, as Google currently has 365 TLDs that can be registered at Google Domains, with an average price of $38.64. See the pricing listed here of what Google Domains charges to register a domain name, depending on the registrar. We find it interesting that Squarespace paid less than one annual payment to register a domain. Domains run from $7 per year for a .DE domain to $500 per year for a .NEW domain name, with a .COM annual registration being $12 per year. We’ve noticed that a lot of the gTLD domains, such as .attorney, .best, and .bargains tend to be around $30-50 per year. The prices are typically set by the domain registry, and then the domain name registrar will ‘mark up’ the domain name price, which also depends on the registry agreement between the registry and the registrar. That’s why you’ll see different prices for the same TLD at various registrars. It definitely pays to shop around, but keep in mind that not all domain name registrars are created equal when it comes to things like domain name security. And beware of “special deals” and promo deals at some registrars. You may be able to register a domain name for $1.99 for the first year, but read the fine print: you typically have to pay for 2-3 years in advance, and the 2nd and 3rd year price is much higher than at other domain registrars. So, is that really a deal? No. The “best price” that we’ve been able to get at a secure domain name registrar is about $10/year ($9.56 for dot com at Fabulous.com). For a .COM domain name at Google Domains, you’re most likely paying $12/year, which is reasonable. In the Squarespace deal, they will honor the Google Domains prices for 12 months. Then we expect the domain pricing at Squarespace to change. Most likely it will go up, or change depending on the TLD.
Squarespace will most likely have to sign new agreements with the registries at some point, and we haven’t looked into whether or not some registry agreements will need to be re-signed when Google Domains is acquired and the deal closes. Squarespace is an accredited domain name registrar (IANA ID 3827), under “Squarespace Domains LLC”. So, they already will have registry agreements in place. Squarespace, according to their TLD page, has 335 TLDs that you can choose from, and Google Domains has 365. We don’t know that will happen to those new 30 TLDs that Google Domains has that Squarespace doesn’t have agreements for, but most likely they will transfer over to Squarespace. But again, we imagine that new registry agreements will need to be signed and negotiated.
Squarespace is a reseller of Google Workspace, in fact one of their top resellers. So, your Google Workspace account and the setup is most likely not going to change. We expect a fairly smooth transition there, so most likely you don’t need to worry about that. They even mentioned Google Workspace in their press release: “Upon closing, Squarespace, a long- time reseller of Google Workspace, will become the exclusive domains provider for any customer purchasing a domain along with their Workspace subscription from Google directly for a minimum of three years. Squarespace will also provide billing and support services to Google Workspace customers that signed up for the service through Google Domains. Customers will continue to have the option to make changes to their domains account at any time.”
You can transfer your domain name out to another domain name registrar at any time, as long as you comply with ICANN’s 60 day rule. The 60 day rule applies if you registered, transferred, or if you make changes to the WHOIS data on the domain name. If you do any of that, then you have to wait 60 days until you can transfer the domain name to another registrar.
So, here’s what we know, just to recap:
- Domains at Google Domains will transfer over to Squarespace.
- Pricing will be honored for 12 months.
- Your Google Workspace account is safe–Squarespace will be the exclusive domains provider for anyone buying a domain with their Workspace subscription from Google, for 3 years.
- You can transfer your domain name to another registrar at any time as long as you comply with the ICANN “60 day rule”.
- In our opinion, domains at Google Domains are technically “not as secure” as they are at Squarespace. More on that below.
Are Your Domain Names Safe? How Do You Keep Them Safe?
As you probably know DNAccess specializes in domain name recovery, mean that we recover stolen domain names for our clients, as well as get back domain names for clients that have expired. Our staff has recovered over 500 stolen domain names for clients in the past year. That’s a lot of stolen domain names–and we’ve learned a lot when it comes to domain name security and keeping your domain name safe. There are a lot of ways that thieves steal domain names, and we’ve created a video that explains how thieves steal domains, which is embedded below.
For this particular case, though, Squarespace acquiring Google Domains, let’s look specifically at how you can keep your domain name safe from being stolen at Google Domains, which will soon become Squarespace Domains.
2FA at Squarespace
When it comes to domain name security, one of the most important things we recommend is that you secure access to your account at a domain name registrar. For Google Domains, this means that you need to take advantage of Google’s highest level of security, which is Google Advanced Protection. Google essentially “locks down” accounts that are enrolled in the program, using their highest level of security. To enroll, you need to purchase a security key (typically two keys) that are physical security keys (both a USB style key and a NFC/bluetooth key). There are a few ways to connect the keys to your Google Account, which is good. You use these keys when you need to log into your Google Account, and you don’t necessarily need them every single time you log in: just when you log in from a new device that Google doesn’t recognized (such as a different laptop, desktop, tablet, phone, etc.). The whole point here is that you have a physical security key to log in, and most likely someone in another country trying to hack into your account won’t have the physical key, so they can’t log in. Your Google Account is tied to your Google Domains account, and that is what makes your domain names secure. Google’s Advanced Protection program will do some additional ‘security’ types of things to secure your account, such as identify suspicious activity, so that’s why we say that Google Domains is the most secure registrar currently. However, we know that Squarespace is acquiring Google Domains, so of course domain security is a concern when you no longer use your Google Account to access domain names.
Squarespace’s account security is good–and a lot better than the majority of domain name registrars that we’re familiar with. If you continue to use Squarespace as a registrar, and don’t transfer your domain names to another registrar, then you absolutely need to sign up for Squarespace’s 2FA security, especially the 2FA with the authentication app. When you go to log into your Squarespace account, you will be asked for a code that you need to provide from the authentication app on your phone. In their help docs, Squarespace is recommending the Google Authenticator app. We typically use the Authy authenticator app, but Google Authenticator is just fine–that means if you’re using Squarespace you’ll need to add another app, Google Authenticator, if you’re not using it already. We recommend going one step further, and adding a Yubikey from Yubico to your authenticator app. You can learn more about adding the security key here at Yubico.
We Don’t Recommend Using 2FA SMS
One of the ways for 2FA that domain name registrars offer is to send you a text message with a code. Squarespace offers this option, as well as some other domain name registrars, such as GoDaddy. We do NOT recommend that you use this method of authentication, as it can easily be hacked–and it can easily be turned off. We have dealt with a lot of stolen domain name cases where our clients had the SMS/text message type of authentication (2FA) turned ON, and the hackers just bypassed it and turned it off on their account once they got into the account at the domain name registrar. There are plenty of others who have written about how insecure 2FA with a text message is, so we won’t bother going into details. What you should know is that 2FA with a text message it not very secure. We still recommend setting it up, but you should be setting up 2FA with a security key and authenticator codes rather than just relying on a text message to your phone. As an aside, we currently cannot recommend moving your domain names to the GoDaddy registrar while they only offer 2FA via text message. We hope they will consider adding 2FA with authenticator codes as a 2FA option, so you can add a physical security key.
At this time, as long as you are aware of what will happen to your Google Domains and are prepared to set up 2FA with the authenticator app (and hopefully a physical security key), then we’re OK with you sticking with Squarespace for your domain registar. If you are only going to use Squarespace as a domain name registrar, there are other options, such as Fabulous.com, as well as Porkbun and Namecheap–all will allow you to set up a physical security key to access your domain name account.
Further Ways to Protect Your Domain Name
Finally, we’d like to give you additional ways that you protect your domain names from getting stolen or having anything happen to them.
Here are 7 things you can do right now to protect your most valuable asset, your domain name.
Set up 2FA
1. Set up 2FA (two-factor authentication) whenever it’s offered to you by your domain registrar. If they don’t offer it, transfer your domain name to another registrar.
If you are going to use 2FA, consider adding a physical key to that process. You can get a Yubikey inexpensively and add that to the 2FA process. Hackers won’t have the physical Yubikey, so they cannot gain access to your account. Google offers Google Advanced Protection, so you may consider adding that if you use a Google Account for access to a Google Account (Google Domains). There are other domain name registrars, such as Epik.com, that recommend you use an app such as Authy or Authenticator to get a ‘code’ through the app when you log in. These apps support the use of a YubiKey, so I recommend setting up 2FA this way, especially with Epik.
Turn On Registry Lock
2. Turn on Registry Lock if it’s offered at your registrar. It is different than registrar lock. This basically makes it more difficult to make changes to the domain, especially name server changes. It’s just another level of protection, but can be turned off by the hacker. Some registrars have other names for this, some call it Executive Lock. Fabulous.com offers an option for them to call do something specific before making changes. For example, you can tell them to call you and ask for a certain code. Or you can have them email you at another email address before making any changes on the account.
Register Your Domain for 5 Years
3. Register the domain for at least 5 years in advance. If it’s stolen or transferred there will be no question as to whether or not it simply expired. I’ve run into this over and over again when recovering domains. We can easily rule out expiration since it was registered for a few years in advance (easy to see via whois history).
Do Not Rely on Auto Renew
4. Do NOT rely on “auto renewal”, as we constantly hear from people who lose their domains because auto renewal was turned on and their credit card was “supposed to be” charged. And it was not. (Credit card didn’t go through, etc.).
Never Use a Free Email Account
5. Never use a “free email” such as gmail, hotmail, outlook, etc. as the contact email on the domain. Those accounts routinely get hacked, compromised, etc..
Don’t Use the Same Email Address as the Domain
6. Make sure that you don’t ever use the same email address of the domain. For example, in the whois record of hartzer(.com), don’t use bill@hartzer(.com). If it’s a stolen domain, there will be issues recovering the domain. And you cannot gain access to the domain easily if the domain is using the same domain that has been stolen. If the domain is stolen you won’t have access to email on that domain. So you cannot easily communicate with your registrar or with me, who is trying to recover your domain name for you. And, you won’t get any notifications about the domain name’s changes or that it’s being transferred out to another registrar.
If you use another email address in your WHOIS record, as recommended, make sure you RENEW that domain name as well. If the domain with that email address expires, then the domain thief just has to get access to that domain name with that email and they can steal your other domain name, as well as any other domain names using that email address in the WHOIS record. That’s how AirBNB had Tilt.com stolen from them. They had an email address @customtilt.com in the WHOIS record, and someone bought customtilt.com and then stole tilt.com from AirBNB. So, don’t do that.
Turn Off WHOIS Privacy
7. Finally, consider NOT using whois privacy on domains you really care about. Use a UPS Store address if you have to. But don’t use whois privacy. When it comes down to recovering the domain, when you have to prove ownership, it’s a lot easier if you have not used whois privacy on the domain. Domain thieves will immediately turn on privacy when they gain access to the domain, then they will attempt to transfer the domain out.