Decoding Domain Status Codes
Every WHOIS record carries a line or two of cryptic strings — clientTransferProhibited,
serverHold, pendingDelete. They look like internal noise. They're actually the most
precise signal in the whole record: a machine-readable statement of exactly what can and can't be done to the
domain right now, and who has the authority to change it.
These are EPP status codes. A client prefix means your registrar set
it (and can remove it); a server prefix means the registry set it (and you usually
can't touch it). The *Prohibited codes are protective locks you generally want. The
hold, pending*, and redemptionPeriod codes mean something is wrong or
time-sensitive.
What EPP actually is
EPP — the Extensible Provisioning Protocol — is the language registrars use to talk to registries.
When you register, transfer, or lock a domain through your registrar, they're sending EPP commands to the
registry that runs the TLD (Verisign for .com, PIR for .org, and so on). The status
codes you see in WHOIS are the registry reporting the domain's current EPP state back out. They're standardised,
so clientTransferProhibited means the same thing on every gTLD.
The one distinction that explains everything: client vs server
Every status code starts with either client or server, and that prefix tells you who's
in control:
client… — set by your registrar, on your behalf. You can usually toggle these yourself in the registrar's control panel. These are the locks you opt into for security.server… — set by the registry itself. These are imposed from above — for legal disputes, non-payment escalations, abuse, or lifecycle transitions — and a registrar generally cannot remove them.
So if you see clientHold, your registrar put the domain on ice (usually billing). If you see
serverHold, the registry did — which is a far more serious conversation.
The prefix is the whole story: client codes belong to your registrar, server codes belong to the registry above them.
The protective locks (you want these)
These three are the security baseline for any domain that matters. They don't stop you doing anything — you clear them in your control panel when you genuinely need to — they stop an attacker who's gained partial access from quietly moving, editing, or deleting your domain:
| Code | Blocks |
|---|---|
clientTransferProhibited | Transferring the domain to another registrar. The single most important anti-hijacking lock. |
clientUpdateProhibited | Editing the domain's details (nameservers, contacts) without first clearing the lock. |
clientDeleteProhibited | Deleting the domain. |
Seeing all three on a domain is a sign of a well-run registration. Their server equivalents
(serverTransferProhibited, etc.) exist too — sometimes applied by the registry for
high-value names or as part of a registry lock service.
The warning codes (something's up)
| Code | What it means |
|---|---|
clientHold | Your registrar pulled the domain from the DNS zone. It does not resolve — site and email are down. Almost always an unpaid invoice or a verification step you missed. |
serverHold | The registry pulled it from the zone. More serious: legal dispute, abuse complaint, or an ICANN compliance action. Your registrar can't simply switch it back on. |
pendingTransfer | A transfer to another registrar is in progress. If you didn't start one, act immediately — it can signal an in-progress hijack. |
pendingDelete | The domain is in its final five-day countdown to release. Nothing can save it now. |
redemptionPeriod | Registration lapsed; recoverable only via a (usually pricey) restore request for ~30 days. The last chance. |
inactive | No nameservers are set, so the domain can't resolve. Common on brand-new or parked domains. |
The grace-period codes (usually harmless)
A handful of codes simply mark that the domain is inside one of the post-action grace windows. They appear and clear on their own:
addPeriod— recently registered; the registrar can still get a refund if it's deleted now.renewPeriod/autoRenewPeriod— recently renewed (manually or automatically).transferPeriod— recently transferred in from another registrar.
And the boring one: ok
A status of ok (sometimes shown as active) means “no special state, no pending
operations.” Counter-intuitively, a bare ok with no locks is slightly worse than
seeing the three *Prohibited codes — it means the domain has no transfer or update protection
enabled at all.
The classic incident. “Our website and email both went down at
once, but the server is fine.” Check WHOIS for clientHold. Nine times out of ten it's a
renewal that failed on an expired card — the registrar yanked the domain from DNS, which takes down
everything attached to it at the same instant. The fix is a payment, not a sysadmin.
What FatDig shows you
FatDig surfaces the raw status codes in the WHOIS section of the Advanced Dig, exactly as the registry reports
them, so you can read the prefix and the action at a glance. When a domain carries a lifecycle code like
redemptionPeriod or pendingDelete, read it alongside the Domain Lifecycle card to work
out how much time is left. And when you dig your own domain, the absence of the three
client*Prohibited locks is the thing to notice — it's a free security upgrade sitting one
checkbox away.
Try it on FatDig: dig google.com
and read its status codes — a stack of server*Prohibited registry locks, the kind a
domain that absolutely cannot be hijacked carries. Then check your own and see how many locks you've got on.