Chapter 03 · What to buy
Procurement category

Registrar selection — what matters, what doesn’t.

Registrar choice is the most over-debated and least carefully evaluated procurement decision in the sending stack. You pick whichever registrar’s homepage you saw most recently, run 30 checkouts through a UI built for one-domain hobbyists, and discover in year two that renewal costs 4x the first-year promo.

TL;DR

  • Namecheap and Porkbun are the common picks for a 30-domain sending estate. Cloudflare is great for bulk but exposes the cluster instantly because every domain ends up on the same nameservers and same account.
  • Spread purchases across two registrars and a couple of sessions. 30 sequential checkouts at one registrar trips fraud heuristics around the 12th checkout and tells receivers the whole estate is one cohort.
  • WHOIS privacy on by default. Without it, your registrant contact gets WHOIS-scraped within 48 hours.
  • Budget at the renewal price, not the promo. $7.99 .com year one becomes $22 at renewal — a 90% markup over a 10-year estate lifetime.
  • Transfer-out friction is real. ICANN imposes a mandatory 60-day post-registration transfer lock, and retail registrars layer on EPP-code delays and retention offers on top.

The premise — registrar choice is downstream of TLD and upstream of DNS

A registrar is the entity authorized by a TLD’s registry to write records into the registry’s zone on behalf of registrants. Practically, the registrar is the billing relationship, the WHOIS contact administrator, the DNS host of last resort, and the support channel at 2am. The choice is constrained from above by TLD availability and constrains the choice below it, because the registrar’s bundled DNS quality, API surface, and DNSSEC support determine whether DNS stays at the registrar or migrates to a dedicated provider.

The correct sequence is TLD plan, then registrar shortlist filtered by TLD support, then DNS plan informed by the registrar’s bundled-DNS quality. Chapter 02 produced the TLD plan; this chapter produces the registrar; Chapter 05 produces the DNS plan. Operators who reverse the sequence spend the second week migrating zones and rewriting the runbook.

The factors that materially differ

The dimensions on which registrars meaningfully diverge across the operational life of a 30-to-40-domain estate are not equally weighted. Privacy posture, DNSSEC, bulk tooling, and renewal pricing are first-tier; the remainder are tiebreakers.

  • Privacy posture — WHOIS handling. Whether WHOIS-redaction is on by default, a paid upgrade, or unavailable.
  • DNSSEC support. Whether the registrar signs the zone, exposes DS-record management for external nameservers, or supports neither.
  • Bulk-registration tooling. Whether 30 domains can be registered in a single transaction via CSV upload or API call, or only through 30 sequential checkouts.
  • API access. Whether the registrar exposes a documented API for registration, renewal, DNS, and account administration, with usable rate limits.
  • Renewal pricing curve. The delta between the first-year promotional rate and the steady-state renewal rate, multiplied across 30 domains and ten-plus years.
  • Transfer-out friction. The registrar-specific overlays on top of the mandatory ICANN 60-day post-registration transfer lock — bulk-transfer tooling, auth-code issuance speed, retention friction.
  • Customer support at scale. Whether the tier the account sits on understands that the account holds 30 domains, not one.

The factors that do not materially matter

  • Marketing copy. “Trusted by millions” is true of every registrar. It carries no signal.
  • Retail UX polish. The dashboard is touched twice a year per domain after initial setup. The aesthetic has no operational consequence.
  • Registration latency. The advertised “register in 60 seconds” is fulfilled by every registrar; registry-side propagation is identical regardless of reseller.
  • Free-bundled extras. A free SSL certificate, a free email forwarder, a free website builder. None are used by a sending-estate operator.

Registrar categories — wholesale, retail, enterprise

The market sorts into three categories. The category determines pricing, tooling, and support before any individual registrar’s feature set enters comparison.

Wholesale (Namecheap, Porkbun, Cloudflare) — low cost, minimal UI, API-first

Wholesale registrars price at registry wholesale plus a thin markup — typically $9 to $12 for a .com against a wholesale of about $9.59. The UI assumes you know what a nameserver record is. Bulk tooling is mature, API access is the default, and renewal pricing tracks wholesale so year-one and year-two land within a couple dollars. This is the correct tier for a sending estate. Namecheap and Porkbun are the operator defaults; Cloudflare is excellent for bulk and ridiculously cheap on renewal, but every domain ends up on the same nameservers and the same account — receivers spot the cluster instantly, so split your estate if you use it.

Retail — high markup, strong UI, upsell-driven

Retail registrars are optimized for the buyer of one domain who will not return for a year. First-year pricing is heavily discounted — frequently below wholesale — and the renewal rate is three to five times the promotional rate. Privacy, DNS hosting, email forwarding, and SSL are charged as add-ons rather than bundled. Bulk tooling is either absent or hidden behind an enterprise upsell. The UI is excellent; the steady-state economics are not.

Enterprise — per-domain account managers, custom contracts

Enterprise registrars are optimized for organizations with 1,000-plus domain portfolios, defensive-registration programs, and trademark-enforcement requirements. The contract is custom, the pricing negotiated, the support named. A 30-to-40-domain sending estate does not justify the tier — the pricing floor exceeds wholesale by a multiple, and the features are oriented at corporate portfolios, not sending estates. The correct buyer is the legal-and-IP function of a public company.

Privacy posture — the WHOIS differential

ICANN policy requires registrant contact be associated with the domain; the question is whether it appears publicly or is redacted behind a registrar proxy. Three regimes exist.

WHOIS-by-default.The registrar redacts contact details on every domain at no cost. The correct posture for a sending estate; the registrant’s name, email, and phone are not load-bearing to mail delivery and are load-bearing to the volume of unsolicited contact the registrant receives the day after registration.

WHOIS-as-upgrade. The registrar charges separately for privacy — $5 to $15 per domain per year — and defaults to exposing real contact if the upgrade is not purchased at checkout. The bulk-checkout flow must affirmatively select privacy on every domain, and the operator who misses the toggle on three of thirty exposes three real contact records.

No-privacy. A small number of TLD registries — primarily ccTLDs — do not permit redaction at all. Mitigation is a forwarding service or a registrant entity rather than personal contact. The operator-decision is a Chapter 04 concern.

DNSSEC support — registrar-signed vs DS-record-only vs absent

DNSSEC signs DNS responses so resolvers can validate they originated at the authoritative nameserver and were not modified in transit. For cold-sending estates it is not on the critical path to deliverability at major receivers, but it is on the credibility-signal path at their security-engineering teams. Three registrar postures exist.

Registrar-signed. The registrar operates the signing infrastructure, generates and rotates keys, and publishes the DS record at the registry without operator intervention. One toggle, signed zone. The correct posture for an operator using bundled DNS.

DS-record-only. The registrar does not sign, but exposes DS-record management for an external provider. The dedicated DNS provider signs the zone and generates the digest; the registrar publishes it to the registry. The correct posture for an operator using dedicated DNS. Most wholesale and enterprise registrars support this; some retail registrars do not.

DNSSEC absent. Neither registrar signing nor DS-record management is available. The zone cannot be signed without migrating to a different registrar. Disqualifying for an operator who intends to deploy DNSSEC; a non-issue otherwise.

Bulk-registration tooling — the 15-minute vs 4-hour difference

The difference between a registrar with mature bulk tooling and one without is, in practice, the difference between registering 30 domains in 15 minutes via CSV upload or scripted API call, and registering 30 domains in three to four hours via 30 sequential retail checkouts. The latter path also reliably triggers the registrar’s own anti-bulk-purchase fraud heuristics — 30 rapid checkouts on a new account, same payment method, slightly varied domains — and produces an account-frozen email at checkout twenty-three.

Bulk tooling takes one of three forms: a CSV-upload UI that batches availability checks and a single checkout; a documented registration API the operator scripts against; or a sales-assisted batch channel where the operator emails a portfolio list and receives an invoice. The procurement workflow of Chapter 04 assumes one of these exists.

The renewal-pricing trap

The first-year price advertised at checkout is, at the retail tier, frequently below the registry wholesale rate. The registrar absorbs the loss to acquire the customer and recovers it across renewal years. The renewal rate is the steady-state cost the estate will pay every year for its operational lifetime.

A typical retail-tier .com: $7.99 in year one, $21.99 to $24.99 at renewal. The 30-domain estate costs roughly $240 in year one and $660 to $750 per year thereafter. Across ten years, the lifetime cost is approximately $6,200 against a wholesale lifetime of $3,300 — a retail markup near 90% across the operational lifetime, recouped entirely after year one. The operator who selected on first-year price has prepaid a decade of UI polish.

The pre-procurement check is to ignore the “starting at” price entirely and read the renewal price for each target TLD. The wholesale tier publishes it openly; the retail tier discloses it in the cart or in fine print. A registrar that does not surface renewal pricing in fewer than two clicks is, in our observation, hiding something the operator will not enjoy discovering.

Transfer-out friction — the 60-day lock and what comes after

ICANN policy imposes a mandatory 60-day transfer lock on newly registered domains. It is a protocol-level constraint, not registrar-specific. It also applies after a successful transfer — the receiving registrar inherits a fresh 60-day lock. The operator who registers in February and decides in March to consolidate at a different registrar discovers the lock at the moment it is most inconvenient.

On top of the mandatory lock, registrars apply their own overlays. Transfer-out requires an authorization code (the EPP code), and registrars vary in how quickly it is issued — instantly via the dashboard at wholesale, by support ticket with a 24-to-72-hour SLA at retail. Some retail registrars introduce multi-step confirmation flows, retention offers, and in extreme cases require a phone call to release the code. Bulk-transfer tooling is available at the wholesale and enterprise tiers and rare at retail.

The registrar-DNS-as-reputation-signal question

A persistent question in operator forums is whether the registrar’s bundled DNS — particularly at a small or low-cost registrar — affects deliverability at major receivers. The empirical answer is no: the spam classifier does not key on registrar identity. It keys on authentication alignment, sending-IP reputation, recipient engagement, and historical domain behavior.

DNS provider identity is, in a limited sense, a feature. Extended DNS-level instability (timeouts, NXDOMAIN responses, slow propagation of authentication records) at a low-reputation registrar’s bundled DNS can degrade the receiver’s ability to validate SPF and DKIM, presenting as authentication-failure-induced deliverability loss. The cause is DNS operational quality, not the registrar brand. The mitigation is to migrate DNS to a dedicated provider — Chapter 05 — and leave the registrar relationship intact for registration and renewal only.

Customer support at scale — the 2am question

The relevant evaluation question is not whether the registrar provides 24/7 chat; nearly all do. It is whether the support tier the account sits on understands the operational shape of a 30-domain estate. An agent trained to assist with single-domain renewal issues, when confronted with bulk DS-record updates or a stalled bulk-transfer batch, escalates to a second tier with a 24-to-48-hour response window. The wholesale model is email-only with a 12-hour response, but the agent has read the API docs and can answer the question. The retail model is chat-first with a 5-minute response, but the agent cannot answer and escalates.

When one of 30 domains has an issue at 2am — a stuck DNSSEC re-signing, a delayed renewal triggering soft expiration, a registrar-side outage of the DNS panel — resolution speed is the speed of the appropriate-tier agent, not the first-tier respondent. The operator evaluates support on resolution time, not response time, ideally by stress-testing the registrar with a deliberately complex pre-purchase question.

The registrar-of-last-resort pattern — concentration vs diversification

Register all 30 domains at one registrar, and you have one billing relationship, one API, one runbook to secure — and one account suspension or billing dispute that takes the whole estate offline simultaneously. It also hands receivers a perfect cluster signal: same registrar, same WHOIS, same purchase window.

The pragmatic posture is a primary-secondary split. Put 70-80% at the primary (Namecheap or Porkbun typically), 20-30% at the secondary (the other one, or Cloudflare). Spread the purchases across two or three sessions, ideally on different days, with different payment methods. The secondary is your failover when the primary suspends your account mid-procurement, the destination for the tranche under a different registrant entity, and the proof that your runbook is registrar-agnostic. Three registrars is overkill; one is a single-point-of-failure incident roughly once every three years.

Common operator failures observed in procurement

  • Selecting on first-year price. The operator sees $7.99, multiplies by 30, registers the estate, and budgets renewal at the same rate. Year two arrives at $22 per domain, the budget is short by $400, and migration is bounded by the 60-day lock and a 30-EPP-code support ticket.
  • Skipping the privacy upgrade at retail checkout. Privacy defaults off, the operator clicks through, and 30 personal contact records appear in WHOIS within 48 hours. Remediation requires retroactive purchase on each domain individually.
  • Assuming DNSSEC will be available. The retail registrar exposes a DNSSEC toggle but does not support DS-record management for external nameservers; the operator migrates DNS to a dedicated provider and discovers, at the moment of DS publication, that the registrar will not accept the digest.
  • Registering 30 domains in 30 sequential checkouts. The account is flagged by fraud heuristics at checkout 23. The verification path takes 48 to 96 hours. The remaining seven domains in the naming plan are registered by someone else in the interim.
  • Concentrating at a single registrar with no secondary.A billing dispute or account-policy enforcement affects 100% of the estate simultaneously. The recovery path is bounded by the registrar’s support response, not the operator’s preparedness.
  • Selecting an enterprise registrar for a 30-domain estate. The pricing floor exceeds the operational benefit by a multiple, and the procurement cycle introduces a 30-to-60-day delay against same-day wholesale registration.

Pre-procurement checklist

  • The TLD plan from Chapter 02 is final and the registrar shortlist is filtered to those that support every TLD on the plan.
  • Renewal pricing — not first-year promotional pricing — is documented per TLD for each shortlisted registrar.
  • Privacy posture is verified: WHOIS-by-default at wholesale, or the privacy upgrade is line-itemed and budgeted at retail.
  • DNSSEC support is confirmed at the level the DNS architecture (Chapter 05) requires — registrar-signed if DNS stays at the registrar, DS-record-only if DNS migrates to a dedicated provider.
  • Bulk-registration tooling is verified — CSV upload, API access, or a sales-assisted batch channel — and the operator has tested the path with a single test domain before the full batch.
  • API credentials are provisioned and stored in the operator’s secret manager before bulk registration begins, not afterward.
  • The secondary registrar is identified and an account is open before the primary procurement begins, not after the primary fails.
  • A documented runbook for transfer-out — auth-code request path, expected SLA, bulk-transfer batch size — is recorded before the 60-day lock window closes on the first registered domain.

Where this fits

The registrar choice locks in the procurement vendor for the operational lifetime of the estate, the billing cadence, the API surface the buying workflow of Chapter 04 will execute against, and the DNS-hosting decision tree of Chapter 05. A wholesale-tier registrar with mature bulk tooling, WHOIS-by-default privacy, DS-record DNSSEC support, and a documented API removes friction from every chapter that follows. A retail-tier registrar with strong UI and four-times-renewal pricing introduces a friction tax that recurs annually. The decision is small, infrequent, and load-bearing — the configuration this reference is most often called in to undo, after the fact, is the registrar selection made in week one.

Related chapters

Was this guide useful?
Skip the setup

Allston Labs operates the full sending estate as a service.

We provision domains, configure the entire authentication record set, run warmup, and monitor reputation across providers. The stack lives under your entity. The engineer on call lives in your Slack.