posted on Nov 12, 2023
Who should I buy a domain name from?
A domain name registrar is a company that sells domain names. Domain names themselves don't cost very much, but several essential auxiliary services can. It's these services that make or break the bank, as picking the right or wrong registrar can affect the amount you pay by 10x or more.
Google Domains was my goto for a solid 9 years — since its inception in 2014, Google Domains offered transparent low prices and many free auxiliary services, a welcome relief from the industry behemoths at the time. However, Google recently sold their registrar to Squarespace, whose domain name prices are 70% higher. This launched me into a deep dive into domain name registrars again: No way a massive markup was the only alternative.
Cloudflare and porkbun offer the lowest possible prices
There are a large number of registrars, with the two most popular — GoDaddy and Namecheap — dominating about 14% of the market each1. However, popularity doesn't mean these services have the best offering.
Let's cut to the chase: Say for simplicity that we're interested in buying a .com domain name. Here is the price you'd pay for several of the most popular registrars; these prices aren't the publicly-listed prices, but the final price you'd see at checkout after all taxes and fees. I've included first-year promotional pricing as well.
| Registrar | Year 1 | Year N | 5-Year Amortized |
|---|---|---|---|
| Bluehost | 12.99 | 21.993 | 20.19 |
| Domain.com | 11.99 | 21.99 | 19.994 |
| Squarespace | 12 | 20 | 18.40 |
| GoDaddy | 0.012 | 21.99 | 17.59 |
| NameSilo | 13.95 | 13.95 | 13.95 |
| Google Domains | 12 | 12 | 12 |
| Namecheap | 10.46 | 10.46 | 10.46 |
| Porkbun | 7.97 | 10.37 | 9.89 |
| Cloudflare | 9.77 | 9.77 | 9.77 |
There's a stark contrast between two sets of registrars:
-
Expensive: Notice Bluehost, Domain, Squarespace, and GoDaddy all have domain name costs around ~$20.
- To attract more customers, they market and feature much lower first-year prices around ~$12; despite that, these registrars ultimately charge an amortized cost that hovers pretty close to $20 annually at the 5-year mark.
- With that said, these options are generally designed to be more friendly for non-developers — specifically GoDaddy and Squarespace, which both offer custom website-building tools for their website hosting product.
-
Cost-effective: However, the latter half of registrars — Namecheap, Google Domains, Porkbun, Cloudflare — have domain name costs around $10-12.
- They feature simple and transparent pricing, because their prices are already so low to begin with. There's effectively no need for promotional pricing, for these registrars.
- These registrars are primarily designed for developers, as they don't offer integrated hosting and website builders. It's worth noting I've never used Porkbun though, so they may be just as non-developer friendly.
With that said, why do even the cheapest options hover around $10? Turns out that there's a "natural limit" to how low registrars go, set by another entity called the registry.
- The registrar you're paying needs to in turn pay a (1) registry fee, which is set by the top-level domain's registry operator and (2) ICANN fee.
- In this case, Verisign owns the
.comtop-level domain and began charging $9.59 as of late 20235; ICANN fees are $0.18, so if we add the two fees, we get the bare minimum a registrar can charge, ignoring credit card processing fees: $9.77.
Knowing this, and examining the table above, we have a pretty straightforward decision to make, when it comes to buying a domain name:
- More than 4 years? Use cloudflare. Notice $9.77 is exactly the price of Cloudflare's .com domain — the price they need to pay the registry and ICANN. In short, Cloudflare offers not only the lowest price but also the lowest possible price for long-term sustainability. If you're committed to a long-term domain name — e.g., your personal website — use Cloudflare.
- Fewer than 4 years? Use porkbun. Porkbun is presumably absorbing the cost to provide you with an even better first-year discount, at $7.97. They don't break even until the 4-year mark, so if you're not set on long-term aspirations — e.g., a random side project — use Porkbun.
If you're looking for a quick-and-dirty recommendation, this is it: Use Cloudflare for longer-term domain names and Porkbun for shorter-term domain names. There are auxiliary products to consider as well, but these two companies also offer important auxiliary products for free. With that said, I was still curious just how much I was saving by picking these registrars. Turns out, the cost runs into the hundreds of dollars.
Look for free WHOIS privacy and SSL certificates.
There are two products I primarily look for in a domain registrar, which I'll talk briefly about here:
-
WHOIS privacy protection. In theory, you can lookup the owner's information for any domain name. This includes full name, email address, phone number, and physical address. As a result, every domain registration comes with a wave of spam calls and emails — at least, this used to be the case.
- Today, many registrars such as Google Domains redact this information for free — in fact, Google Domains does so by default. In my hunt for a new registrar, this was a must.
- By contrast, one of the most popular registrars — Bluehost — charges $12 per year to redact this information. Sure, they have loads of webpages emphasizing the importance of WHOIS redaction, and they're right. There's just no need to pay them for it. So, in short, look for free WHOIS privacy protection to protect your personal information.
-
Secure Socket Layer (SSL) certificates. At its core, this certificate enables users to access your website over HTTPS instead of HTTP, which encrypts communication between a user's browser and your website's host; this protects user-submitted personal information and ensures traffic is tamper-proof.
- For this reason, most browsers check for and visually indicate when a website is loaded over HTTPS, even showing a full-page "Not Secure" warning when an SSL certificate is missing or untrustworthy. In this way, an SSL certificate makes your website look professional.
- Again, Google Domains provides SSL certificates for free and automatically, and again, this was a must in my hunt for a new registrar.
- By contrast, GoDaddy charges anywhere from $70-$125 a year, even with promotional pricing — prices range from $100-$250 per year otherwise. In short, look for and enable free SSL certificates to establish authenticity and provide security.
To summarize, WHOIS privacy protection and SSL certificates are a must for any domain purchase, and marketing material agrees with me here. However, it doesn't mean you need to pay for them, when there are plenty of quality, free options available from highly-reputable brands.
Below, I've listed only N-th year pricing for a .com TLD along with WHOIS privacy protection and SSL certificates. For SSL certificates, I've only listed the lowest-cost option, as upgrades are "multi-domain" bundles, which are moot if you can pick a free alternative.
| Registrar | .com | WHOIS privacy | SSL certificate | Total |
|---|---|---|---|---|
| GoDaddy | 21.99 | 0 | 99.99 | 121.98 |
| Domain.com | 21.99 | 8.99 | 33.00 | 63.98 |
| Bluehost | 21.99 | 11.88 | 0 | 33.87 |
| NameSilo | 13.95 | 0 | 9.59 | 23.54 |
| Squarespace | 20 | 0 | 0 | 20 |
| Namecheap | 10.46 | 0 | 6.99 | 17.45 |
| Google Domains | 12 | 0 | 0 | 12 |
| Porkbun | 10.37 | 0 | 0 | 10.37 |
| Cloudflare | 9.77 | 0 | 0 | 9.77 |
We can make a few observations based on the above table:
- From the most expensive to the most cost-effective option, we're looking at a difference of 12x, per year. This is a huge difference in cost, when you consider the entire lifetime of a domain. Over a 10-year period, you could be paying $100 to Cloudflare or $1200+ to GoDaddy for the same service.
- I intentionally didn't say cheapest option, because that implies a difference in quality. Cloudflare is if anything a stronger brand than GoDaddy, for its low-latency CDN and DDoS protection; and in my own opinion at least, Google Domain was a high-quality product with easy-to-use UI. As a result, I refer to options like Cloudflare and Google Domains as cost-effective, rather than cheap, alternatives.
- Interestingly, Squarespace is the only other company, beyond the two I recommended, that also offers SSL certificates and WHOIS privacy — although we previously placed them in the "expensive" category. That makes Squarespace the only non-developer-friendly option in this particular list that's also decently cost efficient.
Knowing the above, our recommendation surprisingly doesn't change much, just by a bit: For developers, use Porkbun or Cloudflare, as they also offer important auxiliary products for free. However, for non-developers willing to pay a 100% premium on the domain name, I recommend Squarespace, for also offering important auxiliary products for free.
Do I need DNSSEC or registrar locking? "Professional" emails?
There are a number of other products that registrars can offer. There are two that significantly enhance the general security of your website.
-
DNS Security (DNSSEC): Every domain name comes with a set of DNS records, which tells a browser how to translate human-readable domain names into server IP addresses. These records are critical to validate: An interceptor could spoof these DNS records and redirect your domain's traffic to fraudulent websites.
- To fix this, DNS Security Extension (DNSSEC) prevents this spoofing by digitally signing DNS records. This ensures that the DNS record was not tampered with "on path" or in transit from the registrar to the user's browser.
- Again, all 3 of Cloudflare, Porkbun, and Squarespace5 offer DNSSEC for free, so this is a no-brainer to enable if you haven't already.
-
Domain lock: There are two ways to "lock" your domain, prohibiting domain transfers and other operations. There are two versions of this lock:
- Registrar lock, such as with Porkbun. This is often a lock button in your management console. Click once to prevent domain transfers, and should you ever need to transfer the domain to another registrar yourself, click that button again to unlock.
- Registry lock, such as with Verisign, preventing any registrars from making changes to your domain. The exact process for registry locks seems to be ill-defined and highly-customizable — possibly easily social engineered. However, given the number of manual steps needed to contact the registry and authenticate yourself, this is seen as a step up in security from a registrar lock.
- Cloudflare, Porkbun and Squarespace all offer free registrar locks6. Cloudflare additionally offers registry-level locks at an unknown premium cost.
There are also a number of other products that the registrar may recommend:
-
Paid email inboxes vs. free email forwarding: Registrars generally offer the option to buy a "professional" or "business" email from them. To be specific, you're not actually buying an email address on your domain name; you're specifically paying for an email inbox. But, do you really want another inbox to maintain?
- If not, you could just use free email forwarding, which allows you the dual benefit of (1) using the same email inbox you've used before but (2) using a professional email address at your custom domain
[email protected]forwarding to[email protected]— all for free. - All 3 of Cloudflare, Porkbun, and Squarespace offer free email forwarding, which you can learn more about in Cloudflare's "Easily creating and routing email addresses" article.
- If not, you could just use free email forwarding, which allows you the dual benefit of (1) using the same email inbox you've used before but (2) using a professional email address at your custom domain
-
Distributed Denial of Service (DoS) Protection: Domain names can also be spammed with a large number of incoming requests; a large volume of requests may overwhelm the registrar and ultimately result in a "denial of service," as users are unable to make authentic registrar requests amid a sea of inauthentic ones.
- To mitigate this, different registrars may also offer paid products that protect against DDoS attacks. For example, GoDaddy charges ~$180 per year for DDoS protection, even with promotional pricing.
- Just as with every other feature listed here, all 3 of Cloudflare, Porkbun, and Squarespace offer DDoS protection for free.
In short, you don't need the above features per se, but they're all offered for free by the domain registrars I recommend — so might as well leverage them. Other registrars, chief among them GoDaddy, sells these products for a premium.
Takeaways
Fortunately, as of time of writing, there are now highly cost-effective registrars available, offering a slew of essential auxiliary products for free. This is a stark contrast to a decade ago, when GoDaddy and their premium pricing strategy was virtually the only option. Based on the pricing alone, here are the takeaways:
- If you're a developer, choose Cloudflare for domains that will last over 4 years. Choose Porkbun for domains that will last less than 4 years. Ultimately, both are great options.
- If you're not a developer, pick Squarespace.
All of these companies offer essential auxiliary products for free: WHOIS privacy protection, SSL certificates, DNSSEC, and registrar locks. They even offer additional free products that other registrars will charge a premium for, including DDoS protection and custom email forwarding.
posted on Nov 12, 2023
-
Market share data comes from nTLDStats's registrar statistics, which collects data from zonefiles about generic top-level domains (TLDs). This includes
.com,.net,.org, etc. However, there are also country-code top-level domains such as.cn,.tk,.dethat aren't included in the above statistics. ↩ -
There are several red flags here: (1) Although promotional material states that the price for the first year is $0.01, this requires a 3-year purchase where the latter two years are charged at the standard $21.99. A purchase for just 1 year costs $11.99. (2) GoDaddy renews at the term you originally picked. If you purchased 2 years at a time, it will renew for the next 2 years. If you purchase 3 years at a time, like the promotion wants you to, it will renew for another 3 years, at the 3-year mark. ↩
-
There doesn't appear to be a way to purchase multiple years, after following the checkout flow from the homepage. However, after digging around on a few pages, I found a separate Bluehost help article "How much a domain name cost?" lists the .com renewal price as $21.99. ↩
-
This promotional pricing actually applies for the first two years it appears — not just the first. A 1-year purchase costs $11.99, a 2-year purchase costs $23.98 and a 3-year purchase costs $45.97. ↩
-
Squarespace specifically offers free DNSSEC for .com and .net TLDs. Granted, Squarespace doesn't itself sell DNSSEC, and you can configure Squarespace to use DNSSEC from a third-party. ↩↩
-
I'm admittedly not sure how this protects your domain to begin with. If your account was the only way to initiate a legitimate domain transfer to begin with, what "unauthorized" transfer is this registrar-level lock preventing? With that said, there are ICANN-established locks that do appear to be effective. Namely, registering or transferring certain TLDs locks domain changes for 60 days. Additionally, making contact information updates may additionally lock the domain for a certain period of time. These locks allow you sufficient time to notice and potentially react to these changes, if they're illegitimate. ↩
Want more tips? Drop your email, and I'll keep you in the loop.