Every domain name carries a set of status codes that most people never look at. These codes — known as EPP (Extensible Provisioning Protocol) status codes — are the single most important indicator of your domain's health, security posture, and lifecycle state.
If your website suddenly stops resolving, if a transfer gets rejected, or if a domain you're monitoring disappears — the answer is almost always in the WHOIS status codes.
This guide covers all 17 standardized EPP status codes as defined by ICANN, what each one means, and when you should take action.
What Are EPP Status Codes?
EPP status codes indicate the current state of a domain name registration. Every domain has at least one status code, but many have several simultaneously.
There are two categories:
- Server codes — set by the domain's registry (the organization operating the TLD, like Verisign for .com). These take precedence over client codes.
- Client codes — set by your registrar (the company you bought the domain from, like GoDaddy or Namecheap).
You can find your domain's status codes by running a WHOIS lookup. Look for lines starting with Domain Status: in the output.
Server Status Codes (Set by the Registry)
ok (Active)
The default, healthy state. Your domain has no pending operations or restrictions. It resolves normally in DNS.
Action recommended: Consider asking your registrar to add clientTransferProhibited and clientDeleteProhibited for extra protection against unauthorized transfers or deletions.
inactive
No name servers have been associated with your domain. It will not resolve in DNS.
This is normal right after registration if you haven't configured DNS yet. If it persists for several days, contact your registrar — there may be a processing delay, or for certain TLDs you may need to submit documentation first.
addPeriod
A grace period set immediately after initial domain registration. If the registrar deletes the domain during this window, the registry may credit the registration cost.
This is purely informational. No action needed.
autoRenewPeriod
Set when the registry automatically renews an expired domain. If the registrar deletes it during this period, the renewal cost is credited.
Action recommended: If you don't want to keep the domain (and pay the renewal fee), contact your registrar immediately to discuss your options.
renewPeriod
Set when your registrar explicitly renews the domain. Similar to autoRenewPeriod — it's a grace window where the registrar can delete and get a credit.
No action needed unless you didn't request the renewal and want to cancel it.
transferPeriod
Set after a successful registrar-to-registrar transfer. The new registrar can delete the domain during this window and receive a credit for the transfer cost.
Informational. If you didn't initiate the transfer, contact your original registrar immediately.
pendingCreate
A creation request has been received and is being processed. Common during sunrise periods or special launch phases where domains are allocated at the end of a registration window.
If you're not the listed registrant and see this, contact your registrar right away.
pendingRenew
A renewal request has been received and is being processed.
If you didn't request a renewal, contact your registrar to clarify and potentially cancel.
pendingTransfer
A transfer request to move your domain to a new registrar is being processed.
Action recommended: If you didn't initiate this transfer, contact your registrar immediately to deny it.
pendingUpdate
An update request for your domain is being processed.
If you didn't request any changes, contact your registrar to investigate.
pendingDelete
Your domain will be purged from the registry database within a few days and become available for re-registration.
This typically follows a 30-day redemptionPeriod. If you want to keep the domain, contact your registrar immediately — time is critical at this stage.
pendingRestore
Your registrar has requested the registry restore a domain from redemptionPeriod. The registry holds the domain while waiting for required documentation.
If the registrar fails to submit documentation within the window (usually 7 days), the domain reverts to redemptionPeriod. Monitor the status closely and follow up with your registrar if it reverts.
redemptionPeriod
Your registrar has requested deletion of your domain. The registry holds it for 30 days before purging. After that, there's a 5-day window before the domain becomes available for anyone to register.
Action recommended: If you want to keep the domain, contact your registrar immediately. Restoration typically requires paying a redemption fee on top of the renewal cost.
serverHold
Set by the registry. Your domain is not activated in DNS and will not resolve — even if name servers are configured.
This usually indicates a problem: legal dispute, compliance issue, or missing documentation. Contact your registrar to understand the reason and what's needed to lift it.
serverDeleteProhibited
Prevents your domain from being deleted. Uncommon — typically set during legal disputes, at the registrant's request, or during redemption periods.
If you need to delete the domain, your registrar must work with the registry to remove this status. Some registries offer this as a "Registry Lock" premium protection service.
serverRenewProhibited
The registry will not allow your registrar to renew the domain. Usually set during legal disputes or when a domain is scheduled for deletion.
Contact your registrar promptly. If there's no underlying issue, your registrar needs to coordinate with the registry to lift this restriction.
serverTransferProhibited
Prevents your domain from being transferred to another registrar. Uncommon — typically set during legal disputes or at the registrant's request.
Some registries offer this as a Registry Lock service for extra protection. If you need to transfer, your registrar must work with the registry to remove it.
serverUpdateProhibited
Locks your domain against any updates. Same pattern as serverTransferProhibited — set during disputes or for protection.
If you need to update WHOIS contact info or name servers, this status must be removed first through your registrar.
Client Status Codes (Set by Your Registrar)
clientDeleteProhibited
Your registrar will reject any deletion request for your domain. This is a good thing — it prevents unauthorized deletions from hijacking or fraud.
Most reputable registrars set this by default. If you want to delete the domain, you'll need to ask them to remove it first.
clientTransferProhibited
Your registrar will reject any transfer request to another registrar. This is the most common and most important protection status.
It prevents unauthorized transfers — one of the most common domain hijacking methods. If you want to transfer your domain, you'll need to disable this first (usually through your registrar's control panel).
clientUpdateProhibited
Your registrar will reject any update requests — name server changes, contact info updates, etc.
Protects against unauthorized modifications. Less commonly set by default than clientTransferProhibited, but useful for high-value domains.
clientHold
Your registrar has told the registry not to activate your domain in DNS. It will not resolve.
Usually set during legal disputes, non-payment, or when a domain is subject to deletion. Contact your registrar immediately to understand the cause and resolve it.
clientRenewProhibited
Your registrar will reject renewal requests. Uncommon — typically set during legal disputes or when a domain is pending deletion.
If you want to renew, contact your registrar to remove this status.
The "Prohibited" Codes Are Your Friend
If you run a WHOIS lookup on a well-managed domain, you'll typically see something like:
Domain Status: clientTransferProhibited
Domain Status: clientDeleteProhibited
Domain Status: clientUpdateProhibited
These three codes are domain locking — they prevent unauthorized changes. Most registrars enable at least clientTransferProhibited by default. If your domain doesn't have these, you should enable them through your registrar's control panel or support team.
Server Lock vs Client Lock
Both client and server codes serve similar purposes, but there's a critical difference:
| Aspect | Client Lock | Server Lock (Registry Lock) |
|---|---|---|
| Set by | Registrar | Registry |
| Reversal speed | Minutes (control panel) | Hours to days (requires registry action) |
| Security level | Standard | High |
| Cost | Free | Usually a paid add-on |
Server locks (serverTransferProhibited, serverDeleteProhibited, serverUpdateProhibited) are significantly harder to reverse because the change must go through the registry operator, not just the registrar. For high-value domains, corporate brands, and critical infrastructure, many registries offer Registry Lock as a premium service.
Common Scenarios and What the Codes Tell You
Your website suddenly doesn't resolve
Check for: serverHold, clientHold, or inactive. Any of these means the domain is not active in DNS.
A domain transfer was rejected
Check for: clientTransferProhibited or serverTransferProhibited. One of these is blocking the transfer. Disable the relevant lock to proceed.
You forgot to renew and the domain "disappeared"
Check for: redemptionPeriod or pendingDelete. Your domain is in the deletion grace period and can still be restored — but time is running out.
You want maximum protection
Enable: clientTransferProhibited, clientDeleteProhibited, and clientUpdateProhibited. For critical domains, upgrade to Registry Lock (server-level codes).
Why This Matters for Threat Intelligence
For security teams monitoring the domain landscape, EPP status codes are valuable signals:
- Newly registered domains often show
addPeriod— useful for filtering fresh registrations in threat detection pipelines - Domains entering
redemptionPeriodmay indicate abandoned infrastructure that attackers could snap up serverHoldon previously active domains can signal takedown actions, compliance enforcement, or legal disputes- Transfer status changes can indicate domain hijacking attempts or ownership changes relevant to brand protection
At Primitive.host, we track these status changes across 276+ million domains so you can act on them before they become incidents.
Quick Reference Card
| Code | Category | Means | Urgent? |
|---|---|---|---|
ok |
Server | Normal, no restrictions | No |
inactive |
Server | No DNS configured | If persistent |
addPeriod |
Server | New registration grace | No |
autoRenewPeriod |
Server | Auto-renewal grace | If you want to cancel |
renewPeriod |
Server | Manual renewal grace | If you want to cancel |
transferPeriod |
Server | Post-transfer grace | If transfer was unauthorized |
pendingCreate |
Server | Creation in progress | If unexpected |
pendingRenew |
Server | Renewal in progress | If unexpected |
pendingTransfer |
Server | Transfer in progress | Yes if unexpected |
pendingUpdate |
Server | Update in progress | Yes if unexpected |
pendingDelete |
Server | Deletion imminent | Yes if you want to keep it |
pendingRestore |
Server | Restoration in progress | Monitor closely |
redemptionPeriod |
Server | 30-day deletion hold | Yes if you want to keep it |
serverHold |
Server | DNS disabled by registry | Yes |
serverDeleteProhibited |
Server | Delete locked by registry | If you need to delete |
serverRenewProhibited |
Server | Renew blocked by registry | Yes |
serverTransferProhibited |
Server | Transfer locked by registry | If you need to transfer |
serverUpdateProhibited |
Server | Update locked by registry | If you need to update |
clientDeleteProhibited |
Client | Delete locked by registrar | No (good) |
clientTransferProhibited |
Client | Transfer locked by registrar | No (good) |
clientUpdateProhibited |
Client | Update locked by registrar | No (good) |
clientHold |
Client | DNS disabled by registrar | Yes |
clientRenewProhibited |
Client | Renew blocked by registrar | Yes |
Want to monitor domain status changes at scale? Explore our services or join our waitlist for early access to Primitive.host's domain intelligence platform.