How to read a WHOIS record
Decode registrar, status codes, nameservers, and expiry dates in minutes. This guide shows you how to read a WHOIS record and spot the red flags that put your domain at risk.

What a WHOIS record actually is
Every registered domain has a public record that answers four questions: who manages it, when it expires, which servers answer for it, and what restrictions are on it. That record is WHOIS, a lookup protocol old enough that its specification, RFC 3912, describes it as a simple text service with no structure requirements at all.
That lack of structure is why WHOIS output looks intimidating. Different registries format it differently, half the contact fields are redacted, and the useful information is buried between disclaimers. But once you know which five fields to read and in what order, you can assess any domain in under two minutes: your own, a client's, or one you are about to buy.
How to pull a record
You have three options:
- Command line. Run
whois example.comin a terminal. Available by default on macOS and Linux. - Registry websites. Most registries offer a web lookup for their own TLDs.
- A web-based lookup tool. Fastest option if you want the output parsed into labeled fields instead of raw text.
Whichever you use, be aware that thin registries (notably .com and .net) split the data in two. The registry holds only the registrar name, nameservers, and dates. The full record lives with the registrar. If your first lookup seems sparse, query the registrar's WHOIS server listed in the output.
The five fields that matter, in order
Read a WHOIS record in this sequence. Each field answers a specific question, and the order matches how urgent the answer usually is.
1. Expiry date
Registry Expiry Date: 2027-03-14T04:00:00Z
Start here because it is the only field that can take a site offline on a fixed schedule. Expired domains do not fail gracefully: DNS stops resolving, email stops arriving, and after the grace period the domain can enter a redemption phase with recovery fees, then drop to public auction.
If the expiry is inside 60 days and you do not know for certain that auto-renew is on and the payment card is current, treat it as an incident, not a to-do item.
2. Domain status codes
Domain Status: clientTransferProhibited
Status codes are EPP codes, defined in RFC 5731, and they encode what can and cannot happen to the domain right now. The prefix tells you who set the restriction: client codes are set by the registrar, server codes by the registry.
The ones you will see most:
ok: no restrictions. Sounds good, but it means the domain has no transfer lock. Anyone who compromises the registrar account can move it.clientTransferProhibited: transfer lock is on. This is the healthy default for a domain you intend to keep.clientHold/serverHold: the domain has been removed from the DNS zone. It will not resolve. Common causes are unverified registrant email, billing failure, or an abuse complaint. This always needs immediate action.pendingDelete/redemptionPeriod: the domain is in the expiration pipeline. Recovery gets more expensive at each stage.
A well-managed domain typically shows clientTransferProhibited, sometimes alongside clientDeleteProhibited and clientUpdateProhibited. A domain showing only ok, or any hold status, deserves attention today.
3. Nameservers
Name Server: NS1.EXAMPLE-DNS.COM
The nameservers listed in WHOIS are the delegation of record: they decide where every DNS query for the domain gets answered. Check two things. First, are they the servers you expect? If you host DNS with your registrar or a dedicated DNS provider, the names should match that provider. Unexpected nameservers on a domain you control are a strong hijacking signal. Second, are there at least two, on different networks? A single nameserver is a single point of failure.
WHOIS shows the delegation, not the records behind it. To verify what those nameservers actually serve, run the domain through a DNS lookup and compare.
4. Registrar and abuse contact
Registrar: Example Registrar, LLC
Registrar Abuse Contact Email: abuse@example-registrar.com
The registrar is the company you (or the domain owner) pay, and the account you must secure. If you manage domains for clients, this field settles the recurring mystery of "where is this domain actually registered," which is often not where the website is hosted or where the DNS is served.
The abuse contact matters when the domain is not yours: it is the correct reporting channel for phishing or spoofed domains imitating your brand.
5. Registrant data, or what is left of it
Registrant Organization: REDACTED FOR PRIVACY
Since 2018, privacy regulation has caused registries and registrars to redact most personal contact data from public WHOIS output. Expect REDACTED FOR PRIVACY, a privacy-proxy service name, or an anonymized relay email. This is normal and not a red flag by itself.
What you can still extract: the registrant country often remains visible, the organization field sometimes survives for corporate registrations, and the creation date tells you how old the registration is. A domain created three weeks ago claiming to be an established company is worth doubting.
Red flags checklist
When you scan a record, these combinations should stop you:
- Expiry within 60 days with no confirmed auto-renew.
- Status
okonly: no transfer lock on a domain worth keeping. - Any
holdstatus: the domain is not resolving, or is about to stop. - Nameservers you do not recognize on a domain you control.
- A creation date measured in days on a domain asking for trust, money, or credentials.
- Registrar you have never heard of holding a business-critical domain, especially if nobody on the team knows the account login.
WHOIS is giving way to RDAP
The industry is replacing WHOIS with RDAP, the Registration Data Access Protocol, which returns the same registration data as structured JSON over HTTPS instead of free-form text. Generic TLDs already support it, and ICANN retired the WHOIS contractual requirement for gTLDs in early 2025. Everything in this guide still applies: the fields are the same, the EPP status codes are the same, and the red flags are the same. Only the output format is cleaner.
Check your own domains first
The fastest way to apply this is to look up the domains you are responsible for, today, and read them in the order above: expiry, status, nameservers, registrar, registrant. The AcuityScan WHOIS lookup returns the record with the key fields parsed out, so you are not fishing through raw registry text.
Registration data is one layer of domain health. To check the rest, run a free scan at acuityscan.com: 350+ checks across 8 modules covering DNS, email authentication, SSL, security headers, performance, and accessibility in one report.
TL;DR
- A WHOIS record answers four questions: who manages the domain, when it expires, which nameservers answer for it, and what restrictions apply.
- Read five fields in order: expiry date, status codes, nameservers, registrar, registrant data.
- Healthy domains show
clientTransferProhibited. A bareokmeans no transfer lock, and anyholdstatus means the domain is not resolving. - Redacted registrant data is normal post-2018. A very recent creation date on a domain asking for trust is not.
- RDAP is replacing WHOIS as the protocol, but the fields, status codes, and red flags carry over unchanged.
Scan your own site
See what 350+ checks find on your domain.
Free, no signup, 60 seconds. Email auth · DNS · SSL · Performance · SEO · Accessibility · Privacy · Mobile.
