SYSTEMS OPERATIONAL
Domains

WHOIS Privacy Protection: Stop Spam From Your Domain Info

Getwebup 5 min read

You register a domain on a Monday, and by Wednesday your phone is full of "SEO agency" calls and your inbox has three "your website needs redesigning" pitches from people who somehow know your full name, address, and personal email. You didn't leak anything — your WHOIS record did.

Symptom: how you end up exposed

The pattern is almost always the same, and it shows up fast because scrapers poll new domain registrations constantly:

  • Cold calls referencing your domain by name within days of registering it
  • Spam emails addressed to your actual name, not "Dear Customer" — a clear sign the sender pulled it from a public record, not a purchased list
  • Physical junk mail at the address you used during checkout
  • A quick lookup confirms it: run a WHOIS query and your name, phone, email, and mailing address are sitting right there in plain text

Check your own exposure with:

whois yourdomain.com

If the Registrant, Admin, and Tech blocks show a real name, phone number, and street address instead of something like "Redacted for Privacy" or a proxy service's contact details, that record is public — and it's indexed by every WHOIS-scraping bot on the internet, not just visible to someone who thinks to look.

Cause: WHOIS is public by design, unless you opt out

ICANN's original WHOIS policy was built in the 1990s around the idea that domain ownership should be publicly attributable, similar to property records. Every registrar is required to collect your real registrant, admin, and technical contact details and publish them in a queryable database — that part hasn't changed for most gTLDs.

What has changed is that registrars now offer WHOIS privacy protection (sometimes called domain privacy, ID protection, or a GDPR/redaction proxy) as an add-on or, on many gTLDs, a default. Instead of publishing your real details, the registrar substitutes its own proxy contact info in the public record and forwards any mail sent to it — including that ICANN verification email — to your real inbox behind the scenes.

Two things commonly break this expectation:

  • You registered before privacy was toggled on. Some registrars only apply privacy automatically to new orders going forward, not to domains bought years ago under an older checkout flow.
  • Your TLD doesn't support it. Country-code domains often have their own registry rules that override what your registrar can offer — see the table below.

Fix: turn on privacy protection

Step 1 — Confirm which registrar actually holds the domain

Privacy protection is set at the registrar level, not in cPanel or your hosting dashboard, so log in to wherever the domain is registered. If you bought hosting and the domain together through Getwebup, that's the Domains tab in your Getwebup dashboard; if you registered elsewhere and just pointed nameservers at us, you'll need to log in to that original registrar instead.

Step 2 — Enable privacy on the domain

Open the domain's management page and look for "Privacy Protection," "ID Protect," or "WHOIS Privacy" as a toggle or add-on. On Getwebup, it's under Domains → your domain → Privacy Protection → Enable. Most registrars apply it within minutes; the change propagates through WHOIS the next time the record refreshes, usually under an hour.

Step 3 — Re-check with a WHOIS lookup

Run the same whois yourdomain.com query again. You should now see the registrar's proxy service name and a masked contact address instead of your personal details. If it still shows your real info after a few hours, the TLD may not support privacy — check the table below before opening a support ticket.

Step 4 — Watch for the one legitimate exception

Privacy protection doesn't block the registrar's own compliance emails — verification requests, renewal notices, and transfer authorization codes still reach you, just routed through the proxy. Don't assume an email "can't be real" because it came through a masked address; that's expected behavior, not a phishing sign, as long as it's asking you to act on your own domain.

Privacy support by TLD

TLDPrivacy protection available?Notes
.com / .net / .org / .infoYesWidely supported, often free with registration
.io / .co / .devYesStandard gTLD-style rules apply
.in / .co.inLimitedNIXI policy restricts full redaction; some fields may stay visible depending on registrant type
.org.in / .gen.in / .firm.inNoCategory-restricted TLDs generally require verifiable public registrant data
.usNoUS registry policy prohibits WHOIS privacy on .us domains
.euYes (by default)EU GDPR rules mean personal data is redacted from public WHOIS automatically

Prevention: don't leave the next domain exposed

  • Enable privacy at checkout, not after — some registrars make it a one-click add-on during purchase, which skips the whole "wait for the spam to start" cycle.
  • Audit domains you registered years ago, especially any bought before your registrar made privacy a default. Old domains are the ones most likely sitting fully exposed.
  • Re-check privacy status after a domain transfer. Moving a domain to a new registrar can reset privacy settings, and ICANN's transfer rules require a short unlock window during which contact info is briefly re-verified.
  • Keep the forwarding email behind the proxy current. If it's stale, you'll miss real notices like renewal reminders or WHOIS verification requests — privacy protection only helps if mail sent to the masked address actually reaches you.
  • Use a monitored inbox for registrant contact info, not a personal address, especially for domains managed on behalf of a client or team.

WHOIS privacy won't stop every unsolicited call — some of that comes from scraping your site itself, not the registry — but it closes the single most direct leak: a public database that anyone, bot or human, can query by typing your domain name.

Frequently asked questions

Is WHOIS privacy protection free?

On most gTLDs like .com, .net, and .org, registrars including Getwebup include it at no extra cost or as a low-cost add-on. Some country-code TLDs restrict or disable it entirely regardless of price, so check the TLD support table rather than assuming payment unlocks it.

Will enabling privacy protection break my email verification or transfer emails?

No. The registrar's proxy still forwards its own compliance emails — ICANN verification, renewal notices, transfer auth codes — to your real inbox behind the scenes. Privacy protection masks your contact details from public WHOIS lookups, not from your registrar's own mail to you.

Why does my .in domain still show my details after enabling privacy?

NIXI, the registry for .in domains, restricts full WHOIS redaction more than most gTLD registries do. Depending on your registrant category, some contact fields may remain visible even with privacy protection turned on — this is a registry-level limit, not something your registrar can override.

Does WHOIS privacy protect me from all spam related to my domain?

It stops spam sourced from scraping the public WHOIS database, which is the most common source right after registration. It won't stop spam generated from crawling your live website's contact page or from data brokers who already had your information before you registered the domain.

Can I add privacy protection to a domain I registered years ago?

Yes, in almost all cases. Log in to whichever registrar holds the domain, open its management page, and enable the privacy toggle — it isn't limited to new registrations. The only exception is if the domain's TLD doesn't support privacy at all, in which case no registrar can add it regardless of when the domain was bought.

#whois-privacy #domain-privacy #gdpr-proxy #domain-registration #spam-prevention #icann

Keep reading

Chat with Support