Domain2026-07-14·8 min read

Which Australian domain registrar should your small business use?

How to choose an Australian domain registrar — and keep control of the domain afterwards. The 6 checks that matter more than price, the renewal traps, and how to move without breaking your email.

Choosing — and keeping — an Australian domain registrar comes down to 6 checks that matter more than the price on the signup page:

  • auDA accreditation — the registrar appears on the official .au accredited list
  • DNSSEC included — not metered, not sold back to you as a premium add-on
  • Registrar lock and 2-factor authentication on the account that controls the domain
  • Renewal price, not signup price — the first year is the advertisement; every year after is what you actually pay
  • Transfer-out policy — leaving should take a password, not a support ticket
  • CAA and modern record support, if the registrar also hosts your DNS

Most Australian small businesses never look at any of this again after the day they register: 98% of Australian small business domains do not enable DNSSEC*. Your domain is the one asset every other online asset depends on — it deserves 10 deliberate minutes a year.

If you came here wanting a name, here is the short version: for a .com.au, pick an auDA-accredited registrar that includes DNSSEC, registrar lock and 2-factor authentication at no extra charge, publishes its renewal price as plainly as its signup price, and lets you leave with a password instead of a phone call. Several Australian registrars pass that test. Most of the market does not, and the rest of this page is about telling the difference — because the registrar decision is not really about the $15 a year on the invoice. It is about who controls the asset that your website, your email and every login reset attached to your domain all depend on.

Why the registrar decision is a security decision

Your domain is the root of everything your business does online. The website lives at it. Email arrives because of records published under it. Password resets for your accounting software, your socials and your bank all route through inboxes that the domain controls. Whoever holds the registrar account holds all of that — which is why domain hijacking is such a prized outcome for attackers, and why the controls a registrar offers matter more than its brand or its discount.

It is also why losing a domain is so much worse than losing a website. A website can be restored from backup in an afternoon. A domain that expires, gets purged and is re-registered by someone else takes your email with it — and under auDA's licensing rules there is no obligation for the new holder to give it back.

This is the boring kind of security: no software to buy, no consultant to engage. Just a handful of settings in an account most business owners log into once a year, if that.

The 6 checks, in detail

1. auDA accreditation

auDA — .au Domain Administration — administers Australia's domain namespace and accredits the registrars allowed to sell .au names. Accreditation is the floor, not a quality award: it means the company answers to auDA's rules on transfers, renewals and registrant rights. Check the name on auDA's accredited registrar list before you commit. Some large international brands sell .au names through a local accredited partner rather than holding accreditation themselves — which works fine day to day, but adds a company between you and your domain when something goes wrong.

While you are there, run your existing domain through auDA's WHOIS. It shows the registrar of record and the expiry date — and if the registrar named there is not who you thought it was, that is worth resolving today rather than during an outage.

2. DNSSEC included, not metered

DNSSEC signs your DNS records so the answers directing customers to your website and email can be verified rather than taken on trust. 98% of Australian small business domains do not enable it* — partly because it is off by default everywhere, and partly because some providers charge extra for it. We wrote up why that 98% exists, and what we did about it for our own domains — the short version is that we moved our business away from a registrar that metered DNSSEC in "credits", and we treat "is it included free" as a one-question character test for any provider. The registrars that include it tend to be the ones that get the rest of this list right too.

3. Registrar lock and 2-factor authentication

Two settings, both free everywhere, both usually off. Registrar lock stops the domain being transferred away without you explicitly unlocking it first. 2-factor authentication protects the account that could unlock it. Together they turn "someone phished the office email" from a domain-loss event into a nuisance. If your registrar offers neither, that is disqualifying — and if you cannot remember whether yours are on, that is your first 5 minutes after reading this page.

4. The renewal price, not the signup price

First-year domain pricing is an advertisement. The number that matters is the renewal price — what you will pay in years 2 through 10 — and reputable registrars publish it next to the signup price. Treat a registrar that buries its renewal pricing the way you would treat any supplier that hides what the second year costs. The dollar differences are small either way; what the pricing behaviour tells you about the company is not.

5. The transfer-out policy

You will probably move registrars at some point — a better provider, a hosting consolidation, an acquisition. The move should be self-service: get the domain password (the EPP or auth code) from the control panel, give it to the new registrar, done. Some providers make that code available instantly; others route it through a retention process. Read the transfer-out help page before you sign up, not after. A registrar confident you will stay does not need to make leaving hard.

6. CAA and modern record support

If the registrar also hosts your DNS — most small businesses leave it that way — check it supports the records you will eventually want: CAA records that name which certificate authorities may issue for your domain (only 5% of Australian small business domains publish one*), and the SPF, DKIM and DMARC records your email depends on. Almost every modern DNS host supports all of these; the check is quick and the occasional legacy panel that fails it tells you the provider has stopped investing.

How domains actually get lost

Not to hackers, mostly. To expiry.

The sequence is mundane: the card on file expires, the renewal notices go to an inbox nobody reads — the old web designer's address, an alias that stopped working — and the domain quietly lapses. The website goes down, email starts bouncing, and under auDA's rules the name is purged about 30 calendar days after expiry and released for anyone to register. People watch expiry lists for exactly this moment.

Three settings prevent essentially all of it. Auto-renew on. A payment method that will still work next year. And a registrar account email that a current human reads — not a former employee, not the agency you used in 2019. If you do nothing else this page suggests, check those three.

What to ask whoever manages it for you

Plenty of small businesses have never logged into a registrar. The web developer registered the domain, or the hosting company bundled it. That is workable — but ask 4 questions, and expect crisp answers:

  1. Which registrar holds the domain, and is the account in our business's name? A domain registered in a contractor's personal account is a dispute waiting for a falling-out. auDA's WHOIS will confirm the registrar; the registrant should be your ABN.
  2. Who receives the renewal notices, and is auto-renew on?
  3. Are registrar lock and 2-factor authentication enabled?
  4. Is DNSSEC on — and if not, does our provider include it free?

None of these is a big job. All of them are the kind of thing that only surfaces when it is too late to fix cheaply.

What the enterprise version looks like

Large companies use corporate registrars — brand-protection firms that manage thousands of names, monitor lookalike registrations, and charge accordingly. That tier exists for businesses whose domain portfolio is itself a legal asset: global trademarks, hundreds of defensive registrations, in-house counsel on the notification list. The Australian Cyber Security Centre's small business guidance does not send you there, and neither do we. A small business with 1 to 5 domains gets the same protections — lock, 2FA, DNSSEC, auto-renew — from an ordinary accredited registrar for tens of dollars a year. The enterprise product solves portfolio problems you do not have.

If you do run domains for more than one business — your own ventures, or client sites you manage — the checks in this page apply per domain, and keeping them all green by hand stops scaling around the half-dozen mark. That is the multi-domain problem a Custom Engagement exists for: the same domain-level checks, run continuously across every name you are responsible for — scoped for agencies, MSPs, and larger businesses.

When to bring in outside help

For a registrar move or a DNS cleanup, your existing IT support or developer is the right level — it is hours of work, not a project. The cases that justify specialist help are rarer: a domain registered by someone now uncontactable or hostile, a dispute over a name someone else holds, or a hijack in progress. For ownership disputes over .au names, auDA publishes the complaint and dispute-resolution path; start there rather than with a lawyer's letter. For an active hijack, your registrar's emergency line is the first call and the ACSC's small business hub the second.

Moving registrars without breaking anything

The transfer itself is routine — password out, password in, a confirmation email, a few days of waiting. The breakage happens around it, so sequence deliberately. Leave your DNS records and nameservers untouched while the transfer runs; the domain keeps resolving throughout, and changing DNS mid-move is how websites and email go dark. If DNSSEC is enabled, have the DS record removed before the transfer and re-enabled after — a transfer with stale DNSSEC keys can take the domain offline for every validating resolver. And if you also intend to change DNS hosting, do it as a separate step a week later. One change at a time, each verified before the next.

Note for any .com you hold alongside the .com.au: gTLD rules add a 60-day transfer lock after registration or a previous transfer, so a recently-moved .com simply has to wait out the clock.

Where a scan fits

Everything in this checklist is visible from the outside, which means it is checkable from the outside. Our scan's Domain category reads the public record: DNSSEC validation, CAA, the registrar-level records your email authentication depends on — the same checks, reported in plain English against the baseline data for Australian small businesses. What no scan can see is the inside of your registrar account: whether auto-renew is on, where the notices go, who holds the password. Those 10 minutes are yours — once a year, calendar them.

#domain#australian-business#small-business