posted on Nov 12, 2023

Who should I buy a domain name from?

A domain name registrar is a company that sells domain names. Domain names themselves don't cost very much, but several essential auxiliary services can. It's these services that make or break the bank, as picking the right or wrong registrar can affect the amount you pay by 10x or more.

Google Domains was my goto for a solid 9 years — since its inception in 2014, Google Domains offered transparent low prices and many free auxiliary services, a welcome relief from the industry behemoths at the time. However, Google recently sold their registrar to Squarespace, whose domain name prices are 70% higher. This launched me into a deep dive into domain name registrars again: No way a massive markup was the only alternative.

Cloudflare and porkbun offer the lowest possible prices

There are a large number of registrars, with the two most popular — GoDaddy and Namecheap — dominating about 14% of the market each1. However, popularity doesn't mean these services have the best offering.

Let's cut to the chase: Say for simplicity that we're interested in buying a .com domain name. Here is the price you'd pay for several of the most popular registrars; these prices aren't the publicly-listed prices, but the final price you'd see at checkout after all taxes and fees. I've included first-year promotional pricing as well.

Registrar Year 1 Year N 5-Year Amortized
Bluehost 12.99 21.993 20.19 11.99 21.99 19.994
Squarespace 12 20 18.40
GoDaddy 0.012 21.99 17.59
NameSilo 13.95 13.95 13.95
Google Domains 12 12 12
Namecheap 10.46 10.46 10.46
Porkbun 7.97 10.37 9.89
Cloudflare 9.77 9.77 9.77

There's a stark contrast between two sets of registrars:

With that said, why do even the cheapest options hover around $10? Turns out that there's a "natural limit" to how low registrars go, set by another entity called the registry.

Knowing this, and examining the table above, we have a pretty straightforward decision to make, when it comes to buying a domain name:

If you're looking for a quick-and-dirty recommendation, this is it: Use Cloudflare for longer-term domain names and Porkbun for shorter-term domain names. There are auxiliary products to consider as well, but these two companies also offer important auxiliary products for free. With that said, I was still curious just how much I was saving by picking these registrars. Turns out, the cost runs into the hundreds of dollars.

Look for free WHOIS privacy and SSL certificates.

There are two products I primarily look for in a domain registrar, which I'll talk briefly about here:

To summarize, WHOIS privacy protection and SSL certificates are a must for any domain purchase, and marketing material agrees with me here. However, it doesn't mean you need to pay for them, when there are plenty of quality, free options available from highly-reputable brands.

Below, I've listed only N-th year pricing for a .com TLD along with WHOIS privacy protection and SSL certificates. For SSL certificates, I've only listed the lowest-cost option, as upgrades are "multi-domain" bundles, which are moot if you can pick a free alternative.

Registrar .com WHOIS privacy SSL certificate Total
GoDaddy 21.99 0 99.99 121.98 21.99 8.99 33.00 63.98
Bluehost 21.99 11.88 0 33.87
NameSilo 13.95 0 9.59 23.54
Squarespace 20 0 0 20
Namecheap 10.46 0 6.99 17.45
Google Domains 12 0 0 12
Porkbun 10.37 0 0 10.37
Cloudflare 9.77 0 0 9.77

We can make a few observations based on the above table:

Knowing the above, our recommendation surprisingly doesn't change much, just by a bit: For developers, use Porkbun or Cloudflare, as they also offer important auxiliary products for free. However, for non-developers willing to pay a 100% premium on the domain name, I recommend Squarespace, for also offering important auxiliary products for free.

Do I need DNSSEC or registrar locking? "Professional" emails?

There are a number of other products that registrars can offer. There are two that significantly enhance the general security of your website.

  1. DNS Security (DNSSEC): Every domain name comes with a set of DNS records, which tells a browser how to translate human-readable domain names into server IP addresses. These records are critical to validate: An interceptor could spoof these DNS records and redirect your domain's traffic to fraudulent websites.

    1. To fix this, DNS Security Extension (DNSSEC) prevents this spoofing by digitally signing DNS records. This ensures that the DNS record was not tampered with "on path" or in transit from the registrar to the user's browser.
    2. Again, all 3 of Cloudflare, Porkbun, and Squarespace5 offer DNSSEC for free, so this is a no-brainer to enable if you haven't already.
  2. Domain lock: There are two ways to "lock" your domain, prohibiting domain transfers and other operations. There are two versions of this lock:

    1. Registrar lock, such as with Porkbun. This is often a lock button in your management console. Click once to prevent domain transfers, and should you ever need to transfer the domain to another registrar yourself, click that button again to unlock.
    2. Registry lock, such as with Verisign, preventing any registrars from making changes to your domain. The exact process for registry locks seems to be ill-defined and highly-customizable — possibly easily social engineered. However, given the number of manual steps needed to contact the registry and authenticate yourself, this is seen as a step up in security from a registrar lock.
    3. Cloudflare, Porkbun and Squarespace all offer free registrar locks6. Cloudflare additionally offers registry-level locks at an unknown premium cost.

There are also a number of other products that the registrar may recommend:

  1. Paid email inboxes vs. free email forwarding: Registrars generally offer the option to buy a "professional" or "business" email from them. To be specific, you're not actually buying an email address on your domain name; you're specifically paying for an email inbox. But, do you really want another inbox to maintain?

    1. If not, you could just use free email forwarding, which allows you the dual benefit of (1) using the same email inbox you've used before but (2) using a professional email address at your custom domain [email protected] forwarding to [email protected]— all for free.
    2. All 3 of Cloudflare, Porkbun, and Squarespace offer free email forwarding, which you can learn more about in Cloudflare's "Easily creating and routing email addresses" article.
  2. Distributed Denial of Service (DoS) Protection: Domain names can also be spammed with a large number of incoming requests; a large volume of requests may overwhelm the registrar and ultimately result in a "denial of service," as users are unable to make authentic registrar requests amid a sea of inauthentic ones.

    1. To mitigate this, different registrars may also offer paid products that protect against DDoS attacks. For example, GoDaddy charges ~$180 per year for DDoS protection, even with promotional pricing.
    2. Just as with every other feature listed here, all 3 of Cloudflare, Porkbun, and Squarespace offer DDoS protection for free.

In short, you don't need the above features per se, but they're all offered for free by the domain registrars I recommend — so might as well leverage them. Other registrars, chief among them GoDaddy, sells these products for a premium.


Fortunately, as of time of writing, there are now highly cost-effective registrars available, offering a slew of essential auxiliary products for free. This is a stark contrast to a decade ago, when GoDaddy and their premium pricing strategy was virtually the only option. Based on the pricing alone, here are the takeaways:

All of these companies offer essential auxiliary products for free: WHOIS privacy protection, SSL certificates, DNSSEC, and registrar locks. They even offer additional free products that other registrars will charge a premium for, including DDoS protection and custom email forwarding.

posted on Nov 12, 2023

  1. Market share data comes from nTLDStats's registrar statistics, which collects data from zonefiles about generic top-level domains (TLDs). This includes .com, .net, .org, etc. However, there are also country-code top-level domains such as .cn, .tk, .de that aren't included in the above statistics. 

  2. There are several red flags here: (1) Although promotional material states that the price for the first year is $0.01, this requires a 3-year purchase where the latter two years are charged at the standard $21.99. A purchase for just 1 year costs $11.99. (2) GoDaddy renews at the term you originally picked. If you purchased 2 years at a time, it will renew for the next 2 years. If you purchase 3 years at a time, like the promotion wants you to, it will renew for another 3 years, at the 3-year mark. 

  3. There doesn't appear to be a way to purchase multiple years, after following the checkout flow from the homepage. However, after digging around on a few pages, I found a separate Bluehost help article "How much a domain name cost?" lists the .com renewal price as $21.99. 

  4. This promotional pricing actually applies for the first two years it appears — not just the first. A 1-year purchase costs $11.99, a 2-year purchase costs $23.98 and a 3-year purchase costs $45.97. 

  5. Squarespace specifically offers free DNSSEC for .com and .net TLDs. Granted, Squarespace doesn't itself sell DNSSEC, and you can configure Squarespace to use DNSSEC from a third-party. 

  6. I'm admittedly not sure how this protects your domain to begin with. If your account was the only way to initiate a legitimate domain transfer to begin with, what "unauthorized" transfer is this registrar-level lock preventing? With that said, there are ICANN-established locks that do appear to be effective. Namely, registering or transferring certain TLDs locks domain changes for 60 days. Additionally, making contact information updates may additionally lock the domain for a certain period of time. These locks allow you sufficient time to notice and potentially react to these changes, if they're illegitimate.