Remember when a quick WHOIS lookup told you everything about a domain — the owner's name, email, phone, even their street address? Those days are gone. Since GDPR landed in 2018, most public WHOIS records have been scrubbed clean of personal data, and by 2026 the redaction is near universal across gTLDs and most ccTLDs. That is great news for privacy, but a bit of a headache when you are an SMB trying to verify who actually owns a domain before you buy it, partner with a vendor, or hand over a deposit.
The good news: you can still get plenty of useful intel from a WHOIS check if you know where to look and what to read between the lines. Here at TPC Hosting we get this question a lot, so let us walk through it properly.
What a Post-GDPR WHOIS Actually Shows You
When you run a lookup on a tool like who.is, whois.domaintools.com, or your registrar's built-in checker, you will still see a chunk of data — just not the juicy personal bits. The fields that remain public are usually the registrar name (who the domain was bought through), creation date, expiry date, last updated date, name servers, domain status codes, and the registry the TLD belongs to.
What gets masked are the registrant name, organisation, email, phone, and postal address. In their place you will see things like 'REDACTED FOR PRIVACY', 'GDPR Masked', or a generic forwarding email provided by the registrar. For some ccTLDs (.de, .fr, .nl) you may not even see the redaction placeholder — the fields just disappear entirely.
This matters because a lot of the signals you used to rely on for trust checks are gone. But the metadata that remains is still surprisingly powerful when you combine it with a few other techniques.
Reading the Signals That Are Still Public
Start with the creation date. A domain registered three weeks ago that is now offering you a 'limited partnership opportunity' is a massive red flag. Legitimate businesses usually have domains aged a year or more. Cross-check this against the company's claimed founding year — if they say they have been trading since 2014 but the domain was created last month, ask why.
Next, look at the registrar and name servers. A domain hosted on reputable infrastructure (well-known registrars, established DNS providers, professional hosting companies like TPC Hosting) is a positive signal. A domain registered through an obscure offshore registrar with name servers pointing to a free DNS service is not automatically dodgy, but it is worth a second look.
Domain status codes are another goldmine. Statuses like 'clientTransferProhibited' or 'serverHold' tell you whether the domain is locked, in dispute, or pending deletion. If you are about to buy a domain from someone and the status shows 'pendingDelete', walk away — fast.
Verifying Ownership Without the Personal Data
So how do you actually confirm the person you are talking to owns the domain? A few practical tricks work well. First, ask them to send you an email from an address on that exact domain. Spoofing is possible but uncommon for casual scammers, and combined with SPF and DMARC checks (you can do these with free online tools) you can get a strong signal.
Second, ask them to add a specific TXT record to the domain's DNS. This is the same method Google and Microsoft use for domain verification, and it is bulletproof. If they can add a TXT record with a string you choose within an hour or two, they control the DNS — which means they either own the domain or have full administrative access. Either way, you can proceed with reasonable confidence.
Third, use the registrar's contact form. Most registrars now provide an anonymised relay email or a webform that forwards messages to the real registrant. It is slower than the old direct-email days, but it works. For high-value transactions (domains over a few thousand pounds, or major vendor contracts) consider using an escrow service like Escrow.com which handles ownership verification as part of the transaction.
Practical Workflow Before You Buy or Partner
Here is the checklist we recommend to SMBs before committing money or signing a contract based on a domain:
- Run a WHOIS lookup and note creation date, registrar, name servers, and status codes
- Check the domain's age against the company's claimed history
- Look up the domain on the Wayback Machine to see how it has been used over time
- Send a test email to a role-based address (info@, contact@) and see if you get a sensible reply
- Request a DNS TXT verification for any transaction over a few hundred pounds
- For partnerships, ask for a video call and confirm the person matches their LinkedIn and the company website
None of these steps takes long, and together they replace most of what the old open WHOIS used to give you. When we register domains for customers at TPC Hosting, we walk them through this same checklist if they are buying a second-hand domain or onboarding a new supplier — it has saved several clients from awkward situations.
FAQ
Quick answers to the questions we hear most often.
FAQ
Can I still see who owns a domain after GDPR?
Not directly through public WHOIS for most gTLDs. Personal details are redacted, but you can request contact via the registrar's relay form, or verify ownership through DNS TXT records and email from the domain itself.
Does GDPR redaction apply to all domains?
It applies to gTLDs (.com, .net, .org) and most European ccTLDs. Some country-specific TLDs and business-registered domains may still show organisation details, but personal contact data is masked almost everywhere in 2026.
What is the fastest way to verify a domain owner before buying it?
Ask them to add a unique TXT record to the domain's DNS. If they can do it within a couple of hours, they control the domain. Combine this with an escrow service for the actual transfer.
