How to Transfer a Domain Without Website or Email Downtime
Move a domain to a new registrar while preserving website DNS, business email, SSL, DNSSEC, and critical subdomains.
A registrar transfer should not require your website or business email to go offline. The usual outage is caused by changing registration, authoritative DNS, hosting, and email configuration at the same time. Separate those jobs, preserve the active DNS zone, and verify every service before retiring the old account.
No provider can guarantee how every resolver or mail server will behave, but a disciplined migration can make the change uneventful for users. Protect the account first using the domain security checklist, then schedule the transfer when the technical owner and registrar contacts are available.
The Core Rule: Move One Layer at a Time
- Layer
- Registrar
- What it controls
- Ownership record, renewal, transfer lock, nameserver delegation
- Recommended sequence
- Transfer while keeping working nameservers unchanged
- Layer
- Authoritative DNS
- What it controls
- A, AAAA, CNAME, MX, TXT, CAA, SRV, and other records
- Recommended sequence
- Move separately only after the new zone is complete
- Layer
- Web hosting or CDN
- What it controls
- Website and application traffic
- Recommended sequence
- Move in a separate tested release
- Layer
- Email provider
- What it controls
- Mailboxes, routing, authentication, and aliases
- Recommended sequence
- Do not migrate during the registrar transfer
| Layer | What it controls | Recommended sequence |
|---|---|---|
| Registrar | Ownership record, renewal, transfer lock, nameserver delegation | Transfer while keeping working nameservers unchanged |
| Authoritative DNS | A, AAAA, CNAME, MX, TXT, CAA, SRV, and other records | Move separately only after the new zone is complete |
| Web hosting or CDN | Website and application traffic | Move in a separate tested release |
| Email provider | Mailboxes, routing, authentication, and aliases | Do not migrate during the registrar transfer |
If your current nameservers can remain in place, keep them. A registrar transfer changes which company manages the registration; it does not require you to change the website host or email provider. Some registrars impose nameserver requirements, so check the destination before starting. Cloudflare Registrar, for example, requires Cloudflare authoritative DNS.
A Practical Transfer Timeline
- When
- 7 days before
- Action
- Audit eligibility, ownership, expiry, DNS, and account access
- Success condition
- No unresolved lock or missing record
- When
- 48 hours before
- Action
- Lower TTL only if authoritative DNS will also move
- Success condition
- Old TTL has had time to expire
- When
- 24 hours before
- Action
- Copy and verify the new DNS zone if needed
- Success condition
- Old and new providers answer identically
- When
- Transfer day
- Action
- Unlock, obtain AuthInfo, initiate transfer, preserve nameservers
- Success condition
- Website and email tests remain green
- When
- During transfer
- Action
- Monitor DNS, HTTP, TLS, and mail
- Success condition
- No unexpected delegation or record change
- When
- After completion
- Action
- Re-lock, verify renewal and contacts, retain old DNS temporarily
- Success condition
- New registrar access and all services confirmed
| When | Action | Success condition |
|---|---|---|
| 7 days before | Audit eligibility, ownership, expiry, DNS, and account access | No unresolved lock or missing record |
| 48 hours before | Lower TTL only if authoritative DNS will also move | Old TTL has had time to expire |
| 24 hours before | Copy and verify the new DNS zone if needed | Old and new providers answer identically |
| Transfer day | Unlock, obtain AuthInfo, initiate transfer, preserve nameservers | Website and email tests remain green |
| During transfer | Monitor DNS, HTTP, TLS, and mail | No unexpected delegation or record change |
| After completion | Re-lock, verify renewal and contacts, retain old DNS temporarily | New registrar access and all services confirmed |
Step 1: Confirm the Domain Can Be Transferred
Check the current registrar, expiration date, domain status, registrant email, and transfer lock. The person initiating the transfer must control the relevant account and be able to receive approval messages. Do not start while the domain is close to expiry, involved in a dispute, or dependent on an inaccessible former employee's account.
The current ICANN Transfer Policy explains when a registrar may deny a transfer, including specified 60-day restrictions. A recent change of registrant can also trigger a lock, although registrar opt-out handling varies. If ownership also needs to change, establish the correct order with both registrars before editing contact details.
Obtain the AuthInfo code through the current registrar's secure control panel or supported process. ICANN states that registrars must either let the holder create the code or provide it within five calendar days of a request. Treat it like a credential and send it only to the destination registrar.
Step 2: Export the Complete DNS Zone
Take a zone-file export if the provider supports one, then create a human-readable inventory. Automated DNS scans can miss records, especially DKIM selectors, service-verification records, delegated subdomains, and records that are not publicly queried during the scan. Compare the export with configuration from the website host, email provider, CDN, analytics tools, payment services, and customer-support platform.
- Record
- A / AAAA
- Common purpose
- Apex website, API, or direct server address
- Failure symptom
- Website or API becomes unreachable
- Record
- CNAME
- Common purpose
- www, app, status page, CDN, or provider alias
- Failure symptom
- Specific subdomain fails
- Record
- MX
- Common purpose
- Incoming business email routing
- Failure symptom
- New messages bounce or arrive elsewhere
- Record
- TXT
- Common purpose
- SPF, DKIM, DMARC, ownership, and service verification
- Failure symptom
- Mail authentication or integrations fail
- Record
- CAA
- Common purpose
- Which certificate authorities may issue TLS certificates
- Failure symptom
- Certificate issuance or renewal fails
- Record
- SRV
- Common purpose
- Voice, chat, identity, or other service discovery
- Failure symptom
- Applications cannot locate the service
- Record
- NS delegation
- Common purpose
- Authoritative DNS or delegated subdomain
- Failure symptom
- Whole zone or delegated service fails
| Record | Common purpose | Failure symptom |
|---|---|---|
| A / AAAA | Apex website, API, or direct server address | Website or API becomes unreachable |
| CNAME | www, app, status page, CDN, or provider alias | Specific subdomain fails |
| MX | Incoming business email routing | New messages bounce or arrive elsewhere |
| TXT | SPF, DKIM, DMARC, ownership, and service verification | Mail authentication or integrations fail |
| CAA | Which certificate authorities may issue TLS certificates | Certificate issuance or renewal fails |
| SRV | Voice, chat, identity, or other service discovery | Applications cannot locate the service |
| NS delegation | Authoritative DNS or delegated subdomain | Whole zone or delegated service fails |
Record the current TTL, priority, proxy status, and exact target. A missing trailing character, changed MX priority, duplicated SPF record, or altered proxy toggle can cause an outage even when the visible hostname looks right.
Step 3: Decide Whether DNS Is Moving
If the destination registrar allows the existing nameservers, do not move DNS during the registration transfer. Preserve the delegation exactly and skip the TTL migration work. This is the lowest-risk route.
If the destination requires different authoritative DNS, build the new zone first. AWS Route 53's migration guide recommends exporting the current configuration, creating and testing the new records, lowering TTLs, waiting for old TTLs to expire, then changing nameservers and monitoring traffic. It treats the registrar transfer as a later step.
Lower TTLs far enough in advance for the previous values to expire. A lower TTL set five minutes before a change does not remove records already cached for hours or days. Restore sensible production TTLs only after the migration has remained stable.
Step 4: Handle DNSSEC Deliberately
DNSSEC can turn a small configuration mismatch into a complete resolution failure. A DS record at the parent zone tells validating resolvers which DNSSEC keys to trust. If nameservers or signing keys change while an old DS record remains cached, resolvers can return SERVFAIL instead of the website or mail records.
If authoritative DNS is not changing, preserve the current DNSSEC configuration and verify that the destination registrar supports the required DS management. If DNS is changing, follow the new DNS provider's migration procedure exactly. Cloudflare's DNSSEC documentation describes both multi-signer migration and a sequence that removes the old DS record, waits for its TTL to expire, changes nameservers, and then enables the new signing configuration.
Do not disable DNSSEC, change nameservers, and recreate DS data in one hurried session. Waiting for parent-zone TTLs is part of the migration, not optional paperwork.
Step 5: Protect Business Email
A registrar transfer does not require changing email providers. Keep every MX, SPF, DKIM, DMARC, autodiscover, verification, and mail-routing record unchanged. Preserve aliases, catch-all rules, outbound sending services, customer-support platforms, newsletter tools, and transactional email providers that authenticate through the domain.
Google Workspace explains that MX records tell senders where to deliver mail. Microsoft 365 similarly documents MX, Autodiscover, and SPF as primary external DNS records and recommends DKIM and DMARC for stronger authentication. Those records must survive the migration exactly as required by the active provider.
- Send from the company domain to an external mailbox.
- Reply from the external mailbox to the company domain.
- Test at least one alias, shared inbox, and automated sender.
- Check that SPF passes and the expected DKIM signature appears.
- Confirm DMARC reports still go to the intended address.
- Watch the provider's delivery and bounce logs during the transfer.
Step 6: Transfer the Registration Without Changing Delegation
- Confirm the destination account uses a unique password and two-factor authentication.
- Verify the destination supports the domain extension and current nameserver arrangement.
- Unlock the domain only when ready to submit the transfer.
- Enter the AuthInfo code directly at the destination registrar.
- Approve legitimate transfer messages through the registrar's documented process.
- Do not cancel the current registrar account or DNS service.
- Do not change hosting, email, nameservers, or registrant details unless the transfer plan requires it.
The transfer can take time even when all approvals are correct. During that period, the active nameservers should continue answering. Monitor rather than repeatedly changing settings in response to a pending status.
Step 7: Run End-to-End Verification
Test the experience from outside your own network so a local DNS cache does not hide a problem. Check the apex domain, www, login, API, checkout, file downloads, redirects, and every revenue-critical subdomain. Verify the TLS certificate and confirm that certificate renewal still has the required DNS or HTTP validation path.
- Query authoritative nameservers and at least two independent public resolvers.
- Load the website over HTTPS on desktop and mobile networks.
- Test sign-in, password reset, checkout, webhooks, and API endpoints.
- Send and receive email in both directions.
- Verify monitoring, analytics, support, and transactional-email domains.
- Check ICANN Lookup for the expected registrar and status after completion.
- Confirm the expiry date, auto-renew setting, billing method, and registrar lock.
Rollback and Recovery Plan
Keep the old DNS account active for at least several days after the new registrar confirms completion, and longer if authoritative DNS also moved. If records are wrong at the new DNS provider, correcting the new zone is often faster than repeatedly switching nameservers while caches contain both delegations.
Document the previous nameservers, zone export, DS records, TTLs, account contacts, transfer ID, and support channels. If the change is part of a company rename, coordinate it with the startup rebrand playbook rather than mixing a brand launch into an unplanned registrar move. If the company pivoted but the old domain remains valuable, follow the post-pivot domain guide.
The Final Zero-Downtime Checklist
- Transfer eligibility and account ownership confirmed
- Current DNS zone exported and manually inventoried
- Nameservers preserved unless a separate DNS migration is required
- Website, email, authentication, and service records verified
- DNSSEC migration planned around DS and TTL behaviour
- AuthInfo handled as a credential
- Monitoring active throughout the transfer
- Destination account secured and domain re-locked
- Old DNS and evidence retained until stability is proven
Before transferring a newly acquired domain, complete the domain validation checklist and the wider brand protection checklist. Operational continuity starts before the transfer request is submitted.
Still choosing the domain? Generate and score the shortlist before creating a migration project around the wrong name.
Generate Scored DomainsFrequently Asked Questions
Will transferring my domain automatically move my website?
No. A registrar transfer changes the company managing the domain registration. Website hosting, files, databases, and email accounts remain with their existing providers unless you migrate them separately.
Should I change nameservers before transferring?
Only when the destination registrar requires a specific DNS provider or you have deliberately planned a separate DNS migration. If the current nameservers can remain, preserving them is usually the lowest-risk approach.
Why can DNSSEC cause an outage during migration?
Validating resolvers compare DNS signatures with DS information published at the parent zone. If nameservers or signing keys change while an old DS record is still active or cached, validation can fail and resolvers may return SERVFAIL.
How do I know email survived the transfer?
Preserve the MX and authentication records, then test inbound and outbound mail using an external mailbox. Also test aliases and automated senders and confirm SPF, DKIM, and DMARC behaviour through provider logs or message headers.
Sources and further reading
Related Articles
How to Protect Your Domain Name and Brand Online
Domain security is brand security. Learn essential steps to protect your domain from hijacking, expiration, and impersonation.
How to Secure Your Brand Across Domain, Social, and Trademark Before You Launch
The domain is only part of owning a brand. Here's the full checklist for locking in your name across social handles, trademarks, and secondary domains — before a competitor or squatter beats you to it.
Bring your shortlist into one view.
Compare domain states and the trade-offs behind each candidate.
Check a shortlist