How to Read a WHOIS Record
By Nathan Cole, Security Researcher · Updated 2026-06-02Part of our guide to WHOIS Explained: How to Look Up Who Owns a Domain.
A WHOIS record is a structured set of fields that tells you who registered a domain, which registrar manages it, when it was created and expires, and what status locks are applied. Read it top to bottom and the data falls into a few clear groups: registrar details, the three dates, name servers, status codes, and the registrant block. For the wider picture of what the protocol is and where the data comes from, see WHOIS explained.
Most output you will see today follows ICANN's standardized format. The protocol itself is old and deliberately simple, defined in RFC 3912, which is really just a way to send a query and get text back. The structure layered on top is what makes a modern record readable, and WHOIS explained covers how that text gets parsed into the fields below.
The registrar block
Near the top you will find the sponsoring registrar (for example, GoDaddy or Namecheap), an IANA Registrar ID number, and an abuse contact email and phone. The IANA ID uniquely identifies the accredited registrar, so two companies with similar names are still distinguishable. The abuse contact matters if you need to report phishing or spam tied to the domain. Do not confuse the registrar with the registrant; one sells and manages the registration, the other owns it. That distinction gets its own walkthrough in registrar vs registrant.
The three dates
These are the fields people check most often.
| Field | Meaning |
|---|---|
| Creation Date | When the domain was first registered. |
| Updated Date | The last time any field in the record changed. |
| Registry Expiry Date | When the current term ends unless renewed. |
A common mistake is reading the updated date as a sign of recent ownership change. It can move for mundane reasons: a name server edit, a status update, or a routine renewal. If you specifically need the renewal deadline, the focused guide on find a domain's expiration date explains how the expiry field behaves and what grace periods follow it.
Name servers
The record lists two or more name servers, usually as ns1.example.com and ns2.example.com. These tell you who runs DNS for the domain, which often reveals the hosting provider or CDN even when the rest of the record is private. If the name servers point to Cloudflare or AWS, that is a useful clue about the technical setup behind the site.
Status codes (EPP)
Status codes are the part of the record people misread most. They are EPP (Extensible Provisioning Protocol) codes that describe locks and lifecycle states. ICANN publishes the full list and plain-language explanations in its EPP status codes reference. Here are the ones you will run into regularly:
| Status code | What it means |
|---|---|
| clientTransferProhibited | Registrar lock blocking transfer to another registrar. Common default. |
| clientUpdateProhibited | Record fields cannot be changed until the lock is lifted. |
| clientDeleteProhibited | The domain cannot be deleted while set. |
| clientHold | Registrar has pulled the domain from the zone, so it stops resolving. |
| serverHold | The registry (not the registrar) has removed it from the zone. |
| pendingDelete | The domain is in its final wind-down before it drops and becomes available. |
| redemptionPeriod | Expired and deleted, but the original owner can still recover it for a fee. |
Codes prefixed client are set by the registrar; server codes are set by the registry, which sits a level above. Several clientProhibited flags together are normal and generally good; they protect the domain from hijacking. A clientHold or pendingDelete, by contrast, signals the domain is offline or on its way out.
The registrant block
Last comes the registrant contact: name, organization, address, email, and phone, often split into registrant, admin, and technical roles. On many domains these fields now read "REDACTED FOR PRIVACY" or point to a privacy proxy service. That shift followed GDPR, and it is normal rather than suspicious. The data still exists at the registrar; public WHOIS just no longer exposes personal details. For business or organization domains you will sometimes still see a real company name and address.
Read the groups in order and a record stops looking cryptic: who manages it, when it lives and dies, where its DNS points, what locks protect it, and who owns it.
Want to see a real record broken into these fields? Run a free WHOIS lookup at domainintel.app and check any domain in seconds.
Frequently asked questions
What do the dates in a WHOIS record mean?
A WHOIS record carries three dates: the creation date (when the domain was first registered), the updated date (the last time any record field changed), and the expiry date (when the current registration term ends unless it is renewed).
What does clientTransferProhibited mean?
It is an EPP status code, a lock the registrar sets on the domain to block transfers to another registrar. It is a normal default and usually not a sign of trouble.
Why are the contact fields blank or redacted?
Since GDPR took effect, registrars commonly redact registrant name, email, and address for privacy. The data still exists; it is just hidden from public WHOIS output.