How to Transfer a Domain in 2026: EPP Codes, TACs, Locks, and 72-Hour Timelines

How to Transfer a Domain in 2026: EPP Codes, TACs, Locks, and 72-Hour Timelines

What's In This Article

A domain transfer is simple once you know the moving parts — but the internet is full of stale, registrar-specific guides that bury the one thing that actually blocks people: the 60-day lock. This 2026 walkthrough explains what the authorization code is (and why ICANN now calls it a TAC, not an EPP code), the exact six steps to move a domain between registrars, how long each stage takes, why a registrar has five days to hand over your code, the timing traps that cause most failed transfers, and a security checklist. Finally, it shows how buying on a fixed-price marketplace changes the equation: the transfer is initiated within 72 hours and fully refundable if it can't complete.

You just bought a domain — or you're finally moving one off a registrar you've outgrown — and now a single acronym is standing between you and your name: the EPP code. Search for how to move a domain and you'll drown in registrar help pages that each explain their own dashboard, gloss over the one rule that actually blocks people, and use terminology that's now a year out of date.

I spent a decade brokering premium domains, and I've watched hundreds of transfers go through — and watched a handful get stuck for entirely avoidable reasons. The transfer itself is genuinely simple. What trips people up is timing, a code that expires, and a 60-day lock nobody warned them about. This guide fixes that. You'll get the current 2026 terminology (ICANN renamed the EPP code — more on that below), the exact steps in order, realistic timelines, a troubleshooting table for every common failure, and a security checklist. And at the end, why buying on a fixed-price marketplace makes most of this someone else's job.


What actually happens during a domain transfer?

A domain transfer moves the registration of your domain from one ICANN-accredited registrar to another. Your ownership doesn't change — you still own the name — but the company responsible for managing it in the central registry does. Think of it like porting a phone number between carriers: same number, same you, different provider handling the paperwork.

Under the hood, four parties are involved:

  • You, the registrant (the legal owner).
  • The losing registrar, where the domain currently lives.
  • The gaining registrar, where you want it to go.
  • The registry, the central database for that TLD (Verisign runs .com and .net, for example) that ultimately records the change.

The whole process is governed by ICANN's Transfer Policy, which sets the rules every accredited registrar must follow — the authorization code, the approval windows, and the locks. Because those rules are standardized, a transfer works the same way whether you're moving a .com from GoDaddy to Cloudflare or vice versa. Learn it once and it applies everywhere.


What is an EPP code — and why it's now called a TAC in 2026?

The authorization code is the heart of a transfer. It's a unique, per-domain password that proves to the gaining registrar that you're actually allowed to move the name. You'll see it called several things — auth code, authorization code, AuthInfo code, EPP code, or transfer key — and they all mean the same thing. It's typically an 8–16 character alphanumeric string, and it looks like a scrambled password because that's exactly what it is.

Here's the part most guides haven't caught up to: as of ICANN's modernized Transfer Policy, the official term is now the TAC — Transfer Authorization Code. The GNSO Council's Transfer Policy Review finalized a full slate of updates in 2025, and the renaming came with real functional changes, not just a new label:

  • Generated on demand. Under the old model, an AuthInfo code often sat on the domain permanently. The TAC is created only when you request it, so a stale code isn't lingering where an attacker could grab it.
  • Short validity window. A TAC is only good for a limited time — commonly up to 14 days — after which it expires and you request a fresh one.
  • You get notified. When a TAC is issued for your domain, you're explicitly informed, which is an anti-hijacking safeguard.
  • The registrar still has a deadline. Your current registrar must provide the code within five calendar days (120 hours) of your request. If they stall past that, that's a policy violation you can escalate.

Practically, nothing about your steps changes. You still request the code, copy it, and paste it at the new registrar. But if you read a transfer guide that only talks about "EPP codes" and never mentions the TAC, you now know it predates the current rules.


How to transfer a domain in 6 steps

Here's the entire process, start to finish. On most domains the active work takes about 30 minutes; the rest is waiting on built-in timers.

Step 1 — Confirm the domain is eligible

Before anything, make sure the domain isn't inside a 60-day lock (see the timing section below) and isn't within a few days of expiring. Transferring an about-to-expire domain is asking for trouble — renew it first if it's close.

Step 2 — Unlock the domain

Every registrar applies a registrar lock (also called "transfer lock" or "client transfer prohibited") by default to prevent unauthorized moves. In your current registrar's control panel, find the domain's settings and toggle this off. The change propagates in minutes to a few hours.

Step 3 — Get your authorization code (TAC/EPP)

Request the auth code from your current registrar — usually a button in the same domain settings screen. Some registrars email it; some display it on screen. Remember the five-day rule: they're required to give it to you within 120 hours. Copy it exactly, including case.

Step 4 — Start the transfer at the new registrar

Go to your gaining registrar, choose "transfer a domain," enter the name, and paste the authorization code when prompted. You'll confirm payment here. For most gTLDs the transfer includes a mandatory one-year registration extension added to your current expiration date — per Cloudflare's registrar transfer docs and every other registrar, this is standard, so you don't lose time, you gain a year.

Step 5 — Approve the transfer

The losing registrar sends a confirmation email to the domain's administrative contact. This is where speed lives. If you click to approve immediately, a transfer that would otherwise take 5–7 days can complete in 24–48 hours. If you ignore it, the transfer still goes through automatically after the waiting period — you just wait longer.

Step 6 — Verify DNS and lock it back down

Once the transfer completes, confirm your DNS records (A, CNAME, MX for email) carried over or re-enter them at the new registrar, then re-enable the registrar lock. Done.


The 60-day lock and other timing traps

If a transfer is going to fail, timing is almost always why. Keep these locks straight:

  • The 60-day post-event lock. ICANN prohibits transferring a domain within 60 days of its initial registration, a prior transfer, or an opted-in change of registrant. This is the single most common reason a transfer won't start. Just registered a name last week? You're locked for 60 days. No workaround exists — it's a registry-level rule.
  • The change-of-registrant lock. Editing the registrant's name or organization can trigger its own lock. Under the reformed 2025 policy, ICANN moved toward a shorter 30-day (720-hour) inter-registrar lock for this event, which registrants can sometimes request to remove early — a modernization from the older flat 60 days.
  • The auth code expiry. A TAC expires (commonly in ~14 days). Start a transfer, get distracted for two weeks, and your code is dead. Request a fresh one.
  • Registrar processing time. Even with instant approval, the gaining registrar and registry need time to finalize. Budget a couple of days minimum.
Timing rule Duration What it blocks
Post-registration / post-transfer lock 60 days Any outbound transfer
Change-of-registrant lock 30–60 days Outbound transfer after contact edit
Auth code (TAC) validity ~14 days Transfer if code expires unused
Registrar code-provision deadline 5 days (120 hrs) Your ability to get the code
Standard transfer completion 5–7 days (24–48 hrs if approved instantly)

Why domain transfers fail — and how to fix each one

Most "my transfer is stuck" problems come down to one of six causes. Here's the fast diagnosis:

Symptom Likely cause Fix
Transfer won't even start Domain still locked at current registrar Toggle off the registrar/transfer lock
"Not eligible for transfer" error Inside the 60-day lock window Wait out the 60 days — no override exists
Auth code rejected Code expired, mistyped, or wrong case Request a fresh TAC; copy-paste exactly
No approval email arrives Admin email in WHOIS is outdated Update the registrant email, then retry
Transfer silently cancelled Domain expired or in redemption Renew first, then transfer
Registrar won't release code Past the 5-day provision deadline Escalate; cite the ICANN Transfer Policy

The recurring theme: verify your contact email and check the 60-day clock before you start. Those two checks prevent the overwhelming majority of failed transfers.


A quick security checklist for any transfer

A domain is often the most valuable asset a small company owns — losing control of it can mean losing your email, your site, and your brand overnight. Before and during a transfer, run this list:

  • Turn on registrar 2FA at both registrars. An auth code is useless to an attacker who can't get into your account.
  • Never share your TAC over email, chat, or with a "helper." It's a transfer password. Treat it like one.
  • Confirm the WHOIS admin email is one you control before requesting the code — the approval message goes there.
  • Re-lock the domain immediately after the transfer completes.
  • Verify DNS and email (MX records especially) so you don't silently drop inbound mail during cutover.

For the bigger picture on protecting the name itself — clean history, trademark exposure, and why some extensions carry more risk — our 2026 TLD trust rankings break down which endings users and mailbox providers actually trust.


How buying on a fixed-price marketplace changes the whole process

Everything above assumes you're moving a domain you already control. But if you're acquiring a domain, the transfer is where the classic aftermarket gets scary: you wire money to a stranger, then hope they release the auth code. That fear is exactly why escrow and drawn-out broker deals exist — and why so many people overpay for the reassurance. We unpack that anxiety in the psychology of 'make an offer' pricing.

A curated fixed-price marketplace removes most of the risk before you ever see the domain. On 199.domains, every listing is owner-verified via DNS and quality-vetted for clean history before it goes live, so there's no wondering whether the seller can actually deliver. The price is shown up front — $199 or less, no auctions, no negotiation — and the transfer is initiated within 72 hours, with a full refund if it can't be completed. You're not chasing an auth code from an anonymous seller; the handoff is managed. Compare that end-to-end to the auction path in fixed-price vs. auction domains.

The names below are the kind that make this worth it — short, clean, and ready to move:

Because these are already vetted and owner-verified, the "will the transfer actually work?" question is answered before you buy — which is the entire point of a managed marketplace versus a raw registrar-to-registrar move.


DIY registrar transfer vs. a managed marketplace transfer

Feature DIY registrar-to-registrar 199.domains managed transfer
Who chases the auth code You, from the seller/old registrar Handled — ownership pre-verified
Ownership risk You verify the seller yourself DNS owner-verified before listing
Pricing Renewal + transfer fees vary $199 or less, shown up front
Kickoff time 5–7 days (24–48 hrs if approved fast) Initiated within 72 hours
If it fails Your problem to untangle Full refund guaranteed
Clean history check Do your own Wayback/backlink audit AI-vetted for spam + trademark flags

Neither path skips ICANN's rules — the 60-day lock and the registry timers apply to everyone. But a managed transfer moves the hard parts (verifying the seller, extracting the code, handling failure) off your plate.


The bottom line on transferring a domain

Strip away the jargon and a domain transfer is five things in order: unlock it, get the authorization code (the TAC, formerly the EPP code), start the transfer at the new registrar, approve the confirmation email fast, and re-lock it. The only true blocker is the 60-day lock, and the only real accelerator is approving instantly instead of waiting out the timer.

If you already own the name, this guide is your checklist. If you're buying one, the smarter move is to start with a name where the transfer is already de-risked — owner-verified, clean-history, transparently priced, and initiated within 72 hours with a refund guarantee if anything goes sideways.

Ready to skip the hard part? Browse the newest arrivals in the catalog, or sharpen the kind of name you want first with our guides to brandable domains and how to get a premium domain for under $500.

Skip the transfer headache entirely

Every domain in our catalog is owner-verified, clean-history, and priced up front at $199 or less — and the transfer to your registrar is initiated within 72 hours, with a full refund if it can't be completed. Browse the newest arrivals and start clean.

Browse New Arrivals

Article FAQs

How long does a domain transfer take?

For a standard registrar-to-registrar transfer of a generic TLD like .com, plan on roughly 5 to 7 days from start to finish. Most of that is a built-in waiting period, not active work — the actual steps take about 30 minutes. You can cut the timeline to 24–48 hours if the losing registrar lets you approve or 'accept' the transfer immediately instead of waiting for the automatic five-day clock to expire. When you buy a domain on a managed fixed-price marketplace, the transfer is handled for you and initiated within 72 hours, because the seller's ownership is already verified before the listing goes live.

What is an EPP code, and is it the same as a TAC?

An EPP code — also called an auth code, authorization code, or AuthInfo code — is a unique alphanumeric password (usually 8–16 characters) that proves you're authorized to move a specific domain to a new registrar. As of ICANN's modernized 2025 Transfer Policy, the official name is now the TAC (Transfer Authorization Code). Functionally it's the same key with stronger rules: it's generated on demand when you request it rather than sitting on the domain permanently, and it's only valid for a limited window (commonly up to 14 days). If a guide only mentions 'EPP codes,' it predates the current terminology — but the concept is identical.

Why can't I transfer my domain right now?

The most common reason is the ICANN 60-day lock. A domain cannot be transferred to a new registrar within 60 days of its initial registration, a previous transfer, or (if you opted in) a change of the registrant's contact information. Other blockers include the domain still being locked at your current registrar, an expired or mistyped authorization code, an out-of-date administrative email that can't receive the approval message, or the domain being expired or in a redemption period. Check those five things in order and you'll resolve the vast majority of stuck transfers.

Do I lose my remaining registration time when I transfer a domain?

No — you keep it. For most generic TLDs, an inbound transfer actually adds one full year of registration on top of your current expiration date, so your remaining time is preserved and extended, not reset. You typically pay for that one-year extension as part of the transfer. The main exception is that a transfer doesn't restart the clock on your ownership history, and you can't transfer again for 60 days afterward.