How to look up domain owner information

You need to know who's behind a domain. Maybe you're verifying that a supplier's domain is legitimately theirs before wiring money. Maybe a lookalike domain is phishing your users. Maybe you want to buy the name. The tool for all of these is a WHOIS (or RDAP) lookup, but the honest version of this guide has to start with a caveat: since 2018, most personal registrant data in WHOIS is redacted, and "lookup domain owner" really means "extract every signal the record still gives you, then use the right escalation path."

This guide covers both halves: running the lookup, and reading a modern, mostly-redacted record like someone who knows what they're looking at.

Step 1. Run the lookup

Enter the domain in the WHOIS Lookup tool: the registrable name (example.com), not a URL or subdomain. You'll get the registration record parsed into sections: registrar, dates, status, nameservers, and contacts.

From a terminal:

whois example.com

Or use RDAP, the structured JSON successor to WHOIS that all gTLD registries are required to serve:

curl -s https://rdap.org/domain/example.com | jq .

RDAP returns the same data with a real schema (entities for contacts, events for dates, status for flags), which makes it far better for anything scripted.

Step 2. Understand what GDPR did to WHOIS

Before May 2018, a WHOIS record typically listed the registrant's full name, postal address, email, and phone number. GDPR made publishing that personal data legally untenable, and ICANN's Temporary Specification responded by letting registrars redact it. The practical result, years on: for the large majority of gTLD domains, the contact section reads something like:

Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: REDACTED FOR PRIVACY
Registrant Email: Please query the RDDS service of the Registrar of Record

This applies broadly, not just to EU registrants; most large registrars redact by default for everyone. On top of that, WHOIS privacy services (often free with registration now) substitute proxy contact details even where redaction wouldn't apply.

So: if you were hoping for a name and phone number, you'll usually be disappointed. What's left is still genuinely useful; you just have to know how to read it.

Step 3. Mine the fields that aren't redacted

A redacted record still discloses a lot:

Registrar. Always visible. Tells you where the domain is managed and who to send abuse reports or purchase inquiries through. A domain at a major registrar with a long history reads differently from one at a registrar known for lax abuse handling.

Creation date. A "bank" whose domain was registered eleven days ago is answering your legitimacy question all by itself. Long-established domains are expensive to fake; age is one of the strongest trust signals in the record.

Updated and expiry dates. A recent update right before suspicious activity, or an expiry a week out, both tell stories.

Registrant organization and country. Sometimes the organization survives redaction even when personal fields don't; companies often deliberately publish it. Country/state frequently remain visible too.

Nameservers. Often the best ownership clue in the whole record. ns1.bigcorp.com suggests self-hosted infrastructure; Cloudflare or Route 53 nameservers tell you which platform's abuse desk has leverage. Run a DNS lookup on the domain and compare MX and TXT records; SPF includes and verification TXT records regularly name the SaaS vendors and mail providers the owner uses, which narrows down who they are. (If you're new to reading DNS records, start with how to perform a DNS lookup.)

Status flags. clientTransferProhibited is routine. clientHold or serverHold means the domain has been suspended, often a sign the registrar or registry already acted on an abuse report.

Step 4. Contact the owner through the redaction

Redaction hides the data; it doesn't make the owner unreachable. In rough order of effectiveness:

1. The anonymized relay email. Many registrars publish a per-domain forwarding address (or a web contact form linked from the WHOIS response) that relays to the real registrant. This is the designed path; use it first.
2. The registrar's abuse contact. For phishing, malware, or trademark abuse, the Registrar Abuse Contact Email in the record is unredacted by requirement. Registrars act on well-documented abuse reports because their accreditation depends on it.
3. The website itself. Obvious, but skipped surprisingly often: contact pages, a security.txt at /.well-known/security.txt, legal/imprint pages (mandatory in some jurisdictions and usually naming a real entity).
4. Hosting provider. Resolve the domain, then run the IP through reverse DNS and IP geolocation to identify the hosting network. The host's abuse desk is a parallel escalation path to the registrar's, and for active phishing it's often the faster one.
5. Legal process. UDRP for trademark disputes, or law-enforcement/court channels, can compel disclosure of the data behind the redaction. Out of scope here, but it exists and it works.

If your goal is buying the domain, the relay email plus a broker as fallback is the standard route. If it's abuse, document everything (URLs, timestamps, screenshots) before reporting; suspended domains have a habit of going dark mid-investigation.

Step 5. Verify legitimacy with the whole picture

For the "is this domain really who it claims to be" question, no single field decides it. Triangulate:

• Age vs claim. Established company, week-old domain: red flag.
• Registrant org matches the brand (when visible), or at least doesn't contradict it.
• Infrastructure consistency. Does the suspect domain share nameservers and mail infrastructure with the company's known-good primary domain? A DNS lookup on both, side by side, settles this fast.
• TLD and spelling. examp1e.com and example-payments.net are different registrations with their own WHOIS records; look them up separately and compare creation dates with the real domain.

A lookalike registered last month, behind full privacy, on nameservers unrelated to the real company, is as close to a confirmed phish as a registration record can get.

Common mistakes

Treating "REDACTED FOR PRIVACY" as a dead end. The dates, registrar, nameservers, status flags, and the relay-contact path remain. Most ownership questions are answerable without ever seeing a registrant name.

Treating privacy protection as evidence of bad intent. It isn't: privacy services are default-on at many registrars, and plenty of legitimate individuals and businesses use them. Suspicious is privacy plus a fresh creation date plus a lookalike name.

Querying a subdomain or URL. WHOIS is per registrable domain. shop.example.co.uk has no record of its own; query example.co.uk.

Assuming every TLD behaves the same. ccTLDs set their own rules: some publish more than gTLDs, some publish almost nothing, some have no public WHOIS at all. If a gTLD-style query fails, check the registry's own lookup service.

Using one stale source. Aggregator sites cache records. For anything that matters, query live via the WHOIS tool or RDAP.

TL;DR

1. Run the domain through the WHOIS Lookup tool, or whois example.com / curl https://rdap.org/domain/example.com.
2. Expect personal contact data to be redacted (GDPR-era default); that's normal, not suspicious by itself.
3. Read what's left: registrar, creation date, registrant org/country, nameservers, status flags.
4. To reach the owner: registrar's relay email or contact form first, abuse contacts for abuse, hosting provider as a parallel path.
5. For legitimacy checks, triangulate domain age, infrastructure, and DNS records against the known-good domain.