Proactive

Defensive Domain Registration

The cheapest protection against lookalike domain abuse is to register the most likely variants yourself. A domain you own cannot be weaponized against you. This guide covers what to register, where to register, how to configure defensive domains, and when it makes more sense to monitor instead.

In this guide

Use PhishFence to identify which variants to register
TLD variants to register (with costs)
Typosquat patterns to register
Registrar comparison for bulk registration
WHOIS privacy considerations
Set up redirects from defensive domains
DNS configuration for defensive domains
Email spoofing protection (SPF, DMARC, DKIM)
Cost-benefit analysis: register vs. monitor
Renewal management

1 Use PhishFence to identify which variants to register

Before spending money on defensive registrations, use PhishFence's variant generator to see the full picture. The scanner generates variants across nine categories:

Character omission: each letter removed one at a time (example → exmple)
Character transposition: adjacent letters swapped (example → exmaple)
Character repetition: doubled letters (example → exxample)
Keyboard adjacency: nearby keys substituted (example → ezample)
Character insertion: extra characters added between each position
Hyphen insertion: hyphens placed at each position (ex-ample)
TLD swaps: your base name across .com, .net, .org, .io, .co, .info, .biz, .app, .dev
Subdomain-style prefix spoofs: phishing prefixes like secure-, login-, account-
Homoglyph substitutions: visually similar characters (planned for IDN/Unicode domains)

How to use the results:

Run a scan on your primary domain from the PhishFence dashboard.
Review the results: variants that already resolve (have DNS, serve content, or have MX records) are immediate threats. Investigate and take action using the other guides.
Variants that are unregistered are candidates for defensive registration. Focus on the ones that are most likely to be typed accidentally or used in phishing campaigns.
Export or note the unregistered variants and prioritize them using the framework below.

2 TLD variants to register (with approximate costs)

Registering your brand name across the most commonly abused TLDs is the highest-impact defensive action. These are the TLDs to prioritize, in order of importance:

Tier 1: Register immediately

Critical

These are the TLDs that attackers abuse most frequently because users expect them and trust them.

TLD	Why	Approx. cost/yr
`.com`	Most common TLD. If this is not your primary, register it first.	$10–$12
`.net`	Second most commonly typed by users; frequently used in phishing.	$11–$14
`.org`	Trusted TLD; can be used to impersonate support or community sites.	$10–$13
`.co`	Extremely common typo for `.com`, and users often omit the “m”.	$25–$30

Tier 2: Register if budget allows

Recommended

Common among tech companies and startups. Attackers use these to target tech-savvy audiences.

TLD	Why	Approx. cost/yr
`.io`	Popular with SaaS and developer tools; high credibility.	$30–$40
`.app`	Google-operated TLD; requires HTTPS. Used for app-related phishing.	$15–$20
`.dev`	Google-operated TLD; requires HTTPS. Common for developer tools.	$13–$18

Tier 3: Register for high-value brands

Optional

Lower abuse frequency but still used in targeted attacks, especially for large or well-known brands.

TLD	Why	Approx. cost/yr
`.info`	Very cheap and frequently used for throwaway phishing domains.	$4–$6
`.biz`	Low cost, sometimes used in business email compromise (BEC) attacks.	$5–$8
`.xyz`	Extremely cheap; one of the most-abused TLDs for phishing campaigns.	$2–$5

Country-code TLDs (ccTLDs)

If international

If you operate in specific countries or have significant user bases outside your home market, register the ccTLD for each major market. Attackers target the local variant of a brand to build trust with regional users.

TLD	Region	Approx. cost/yr
`.co.uk`	United Kingdom	$8–$12
`.de`	Germany	$7–$12
`.com.au`	Australia	$12–$18
`.ca`	Canada	$10–$15
`.in`	India	$8–$12

Note: Some ccTLDs have residency or business presence requirements. Check the registry requirements before registering.

3 Typosquat patterns to register

Beyond TLD variants, you should register the most likely typosquats of your brand name. Focus on the patterns that real users are most likely to type accidentally, or that attackers most commonly exploit.

Character omission (missing letters)

One letter removed from the brand name. These are the most common accidental typos.

# Example: "acmecorp.com"

cmecorp.com, amecorp.com, acecorp.com, acmcorp.com, acmeorp.com ...

Priority: Register omissions at the beginning and end of the name, since those are where users make the most mistakes.

Character transposition (swapped letters)

Two adjacent characters swapped. Extremely common on keyboards for fast typists.

# Example: "acmecorp.com"

camecorp.com, amcecorp.com, aceecorp.com, acmceorp.com ...

Keyboard adjacency (nearby key substitution)

A character replaced with a key that is physically adjacent on a QWERTY keyboard. PhishFence maps every letter to its neighbors for this analysis.

# Example: "acmecorp.com" ('c' adjacent to 'x', 'd', 'f', 'v')

axmecorp.com, admecorp.com, afmecorp.com, avmecorp.com ...

Character repetition (doubled letters)

A letter typed twice. Common with fast typing and auto-repeat on held keys.

# Example: "acmecorp.com"

aacmecorp.com, accmecorp.com, acmmecorp.com ...

Hyphen variants

Hyphens inserted within the brand name or phishing-style prefixes added. These are common in targeted phishing campaigns.

# Hyphen insertion

acme-corp.com, ac-mecorp.com

# Phishing prefixes

The phishing prefix variants (login-, secure-, account-, mail-, support-, help-, www-) are high-priority registrations because they are specifically designed to deceive.

Practical limit: For a 7-character brand name, PhishFence's variant generator produces hundreds or thousands of permutations. You cannot register them all. Focus on the top 10–30 most plausible variants, the ones a real person would actually type or that look convincing in a phishing email. Use PhishFence's scan results to see which unregistered variants are closest to your brand visually.

4 Registrar comparison for bulk defensive registration

When registering 10–30+ defensive domains, your choice of registrar significantly affects ongoing cost and management overhead. Here is how the major registrars compare:

Registrar	.com price/yr	Bulk tools	Best for
Cloudflare Registrar	~$10.11 (at-cost, no markup)	Good dashboard, API, free WHOIS privacy	Lowest ongoing cost; already using Cloudflare DNS
Porkbun	~$10.37	Bulk search, free WHOIS privacy, URL forwarding included	Best value for defensive domains; built-in URL forwarding
Namecheap	~$10.98	Bulk search tool, Beast Mode, free WhoisGuard	Good bulk registration workflow; easy domain forwarding
Squarespace Domains	~$12.00	Clean UI, free WHOIS privacy	Simple management; former Google Domains customers
GoDaddy	~$12.99 (renews ~$22.99)	Bulk tools available; WHOIS privacy costs extra (~$10/yr)	Avoid for defensive registration. High renewals, upsell-heavy

Recommendation: Use Cloudflare Registrar or Porkbun for defensive domains. Both offer at-cost or near-cost pricing, free WHOIS privacy, and reasonable management interfaces. The key advantage is that renewal prices are the same as registration prices, with no surprise price increases in year two.

Consolidate registrars: Whenever possible, keep all defensive domains at the same registrar as your primary domain. This simplifies DNS management, reduces the number of accounts to monitor, and makes bulk renewal easier. If your primary domain is at a registrar with high renewal prices, consider transferring everything to Cloudflare or Porkbun.

5 WHOIS privacy considerations

Every domain registration creates a public WHOIS record containing the registrant's name, email, phone number, and address. For defensive domains, WHOIS privacy is important for several reasons:

Prevents spam harvesting. Without privacy, your contact info on 20+ domains becomes a magnet for spam and social engineering attempts.
Avoids revealing your defensive strategy. If an attacker can query WHOIS and see you own dozens of variants, they know exactly which gaps remain open.
Reduces personal exposure. Especially important if the domains are registered to an individual rather than a company.

Registrar WHOIS privacy comparison

Cloudflare: Free WHOIS privacy, enabled by default on all domains.
Porkbun: Free WHOIS privacy on all supported TLDs.
Namecheap: Free WhoisGuard on all domains.
Squarespace Domains: Free privacy protection included.
GoDaddy: Charges approximately $10/year per domain for "Domain Privacy." This adds up significantly with 20+ defensive domains.

Note: Some ccTLDs (e.g., .us, .ca, .com.au) do not support WHOIS privacy due to registry policies, regardless of registrar.

6 Set up redirects from defensive domains

Do not just park defensive domains. Redirect them to your primary domain. This way, anyone who accidentally types a variant lands on your real site instead of seeing a registrar parking page (or worse, a “this domain is for sale” listing).

Option A: Registrar-level URL forwarding (recommended for simplicity)

Most registrars offer a built-in URL forwarding feature that requires no hosting or server setup.

Namecheap: Domain List → Manage → Redirect Domain → enter your primary URL → select “Permanent (301)”
Porkbun: Domain Management → URL Forwarding → enter destination URL → select “301 Redirect”
Squarespace: DNS Settings → URL forwarding → enter destination
GoDaddy: DNS Management → Forwarding → add forwarding rule with 301

Cloudflare does not offer simple URL forwarding in the registrar, so use their Redirect Rules (see Option B).

Option B: Cloudflare Redirect Rules (for Cloudflare-managed domains)

If your defensive domains use Cloudflare DNS, set up a Redirect Rule:

Add the defensive domain to your Cloudflare account (free plan is sufficient).
Go to Rules → Redirect Rules → Create Rule.
Set the match: Hostname equals typo-domain.com
Set the action: Static redirect to https://yourdomain.com with status code 301.
Optionally check “Preserve query string” if you want URL parameters forwarded.

Option C: Web server redirect (if you control a server)

If you run your own web server, point the defensive domain's A record to your server and configure a redirect in your server config.

# Nginx example

server {

server_name typo-domain.com www.typo-domain.com;

return 301 https://yourdomain.com$request_uri;

}

# Apache .htaccess or VirtualHost

RewriteEngine On

RewriteRule ^(.*)$ https://yourdomain.com/$1 [R=301,L]

Always use 301 (permanent) redirects, not 302 (temporary). A 301 tells search engines that the redirect is permanent, which prevents the defensive domain from appearing in search results and consolidates any accidental SEO value to your primary domain.

7 DNS configuration for defensive domains

The DNS setup depends on which redirect method you chose. Here are the two most common approaches:

For registrar URL forwarding

When using your registrar's built-in forwarding, the registrar handles DNS automatically. You typically do not need to add any A or CNAME records manually. The forwarding feature configures them behind the scenes. Just ensure:

The domain's nameservers are pointed to your registrar's nameservers (usually the default).
Any existing A/AAAA/CNAME records are removed if they conflict with the forwarding.

For Cloudflare Redirect Rules or web server redirect

You need an A record for the redirect to work. The DNS record must resolve before the redirect can fire.

# If using Cloudflare (proxied mode)

Type: A Name: @ Content: 192.0.2.1 Proxy: ON (orange cloud)

# The IP doesn't matter when proxied. Cloudflare intercepts the request

# If pointing to your own server

Type: A Name: @ Content: YOUR_SERVER_IP Proxy: OFF

For Cloudflare proxied domains, you can use any placeholder IP (e.g., 192.0.2.1), since the request never reaches it because Cloudflare's edge handles the redirect.

Add a www subdomain redirect too

Users may type www.typo-domain.com. Add a CNAME record for www pointing to the root domain, and ensure your redirect covers both the root and www subdomain.

Type: CNAME Name: www Content: typo-domain.com

8 Email spoofing protection (SPF, DMARC, DKIM)

Even though you are not sending email from your defensive domains, you must configure email authentication records to prevent attackers from exploiting them for email spoofing if they ever gain DNS access.

Add these TXT records to every defensive domain:

# SPF: reject all email from this domain

Type: TXT Name: @ Value: "v=spf1 -all"

# DMARC: reject all email that fails authentication

Type: TXT Name: _dmarc Value: "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;"

# DKIM: empty key signals no signing capability

Type: TXT Name: *._domainkey Value: "v=DKIM1; p="

# Null MX: explicitly declare this domain does not accept email (RFC 7505)

Type: MX Name: @ Priority: 0 Value: .

The combination of v=spf1 -all, a reject DMARC policy, an empty DKIM key, and a null MX record tells every mail server in the world: “This domain does not send email, and any email claiming to be from it should be rejected.”

For a detailed walkthrough of SPF, DKIM, and DMARC, see the Set Up DMARC, SPF & DKIM guide.

9 Cost-benefit analysis: register vs. monitor

Defensive registration is not always the right answer. Here is a framework for deciding when to register a variant versus when to simply monitor it with PhishFence.

The variant is a TLD swap of your primary domain (.com, .net, .org, .co). These are cheap, high-impact, and almost always worth owning.
The variant is a single-character typo that a real user would plausibly type by accident.
The variant contains a phishing prefix like login-, secure-, or account-.
Your brand handles sensitive data (financial, health, auth) where impersonation could cause direct harm.
The domain costs under $15/year, where the cost of monitoring and responding to abuse is higher than just owning it.
PhishFence scans show the variant keeps appearing as unregistered across multiple scan cycles, and it is a matter of time before someone takes it.

Monitor instead when:

The variant requires multiple character changes, unlikely to be typed accidentally and less convincing in phishing.
The TLD is obscure or expensive (e.g., .bank at $10,000+/year, .insurance), where monitoring is far cheaper.
The variant is an internationalized domain name (IDN) that uses Unicode characters. These are hard to register defensively and are better handled through browser protections and monitoring.
You have limited budget and the variant is a low-probability typo that would not fool a careful reader.
The variant is a generic or dictionary word that is likely already registered by a legitimate party.

Example cost analysis for a typical brand

Portfolio tier	Domains	Count	Annual cost
Essential TLDs	.com, .net, .org, .co	3–4	$35–$60
Tech TLDs	.io, .app, .dev	2–3	$55–$80
Top typosquats	Omissions, transpositions, prefixes	5–15	$50–$170
ccTLDs	.co.uk, .de, .ca, etc.	2–5	$20–$60
Total estimated annual cost		12–27	$160–$370

Costs based on Cloudflare/Porkbun at-cost pricing. Actual costs vary by registrar and TLD availability.

10 Renewal management

A lapsed defensive domain instantly becomes available to attackers. Some registrars auction expired domains within days, and domain drop-catching services specifically target recently expired names. Treat renewal management as seriously as the initial registration.

Enable auto-renew on every defensive domain

This is the single most important renewal action. Go into your registrar's dashboard and verify that auto-renew is turned on for every domain, not just your primary domain. Some registrars disable auto-renew by default on newly registered domains.

Keep your payment method current

Auto-renew does nothing if the credit card on file is expired. Set a recurring calendar reminder every 6 months to verify your payment method is valid at each registrar. Some registrars (Cloudflare, Namecheap) send email warnings when a payment method is about to expire, so do not ignore them.

Consolidate to one registrar

If your defensive domains are spread across multiple registrars, transfer them all to one. This reduces the number of dashboards to check, payment methods to maintain, and accounts that could be compromised. Most registrars charge a standard transfer fee (usually one year of registration) and extend the expiration date by one year.

Maintain a domain inventory spreadsheet

Track all your defensive domains in a simple spreadsheet or document:

# Columns to track

---

yourbrand.net | Cloudflare | 2027-03-15 | Yes | Yes | Yes

yourbrand.org | Cloudflare | 2027-03-15 | Yes | Yes | Yes

yourbrand.co | Porkbun | 2027-06-01 | Yes | Yes | Yes

Set calendar reminders

Even with auto-renew enabled, set calendar reminders 30 days before each domain's expiration date as a safety net. If a renewal fails silently (payment issue, registrar error), you have a window to fix it before the domain enters its redemption grace period.

Enable registrar lock (transfer lock)

Most registrars offer a “domain lock” or “transfer lock” feature that prevents the domain from being transferred away without explicit authorization. Enable this on all defensive domains to prevent unauthorized transfers, even if your registrar account is compromised.

Bottom line: A practical defensive registration portfolio of 15–20 domains costs $150–$250/year at wholesale registrar pricing. A single phishing incident that damages customer trust, triggers regulatory scrutiny, or results in a business email compromise can cost tens of thousands of dollars, or more. For most businesses, registering TLD variants and the top 5–10 typosquats is one of the cheapest and most effective brand protection investments you can make.

Next steps:

Run a PhishFence scan to see which variants of your domain are already registered by third parties.
Register the Tier 1 TLD variants today. This takes 10 minutes and under $50.
Configure redirects and email protection records on every defensive domain you own.
Set up ongoing monitoring with PhishFence to catch new threats as they appear.
Review the DMARC/SPF/DKIM guide for detailed email authentication setup.