Registrar Access Checklist for Agencies Managing Client Domains

A registrar access checklist helps agencies confirm who can log in, who controls MFA, who receives billing and renewal messages, where DNS is hosted, and what emergency path exists if a domain needs action quickly. It is a practical control checklist, not a password collection exercise. The point is to make sure the right client or agency people can act before expiry, transfer, DNS, or ownership issues become urgent.

Start by reviewing visible portfolio signals with the free agency audit, then use Health Check for a single domain. When interpreting public domain, DNS, and certificate signals, use the CertPilot methodology to understand what public checks can and cannot prove.

Quick answer: registrar access checklist

A registrar access checklist should confirm:

• Registrar name.
• Account owner.
• Admin users.
• MFA owner.
• Recovery email and phone owner.
• Billing contact.
• Payment review owner.
• Renewal notice recipients.
• Domain lock and transfer process owner.
• DNS provider and nameserver control.
• Emergency escalation path.
• Last access review date.

It should not store registrar passwords in a project management tool or in CertPilot. Credentials belong in a password manager with appropriate client approval and access controls.

Why registrar access fails in real agency work

Registrar access fails because it is rarely part of the launch checklist until something breaks. A domain can sit quietly for years, then suddenly require urgent action during expiry, migration, SSL validation, email setup, or ownership transfer.

Common failure patterns:

• The registrar login belongs to a founder who no longer manages the website.
• MFA goes to a former employee.
• Renewal notices go to an abandoned mailbox.
• Billing is tied to an expired card.
• DNS is not hosted at the registrar, but no one knows where it is hosted.
• The previous agency still controls the account.
• The client assumes the current agency has access, but the agency does not.

The checklist turns access into a managed operational dependency.

Account owner and admin access

The first question is not "what is the password?" The first question is "who owns the account and who is authorized to act?"

Record:

• Registrar.
• Account owner.
• Authorized admin users.
• Client approver.
• Agency contact, if the agency has delegated access.
• Previous vendor involvement.
• Transfer or unlock authority.

If the client owns the registrar account, ask the client to confirm that a current employee can log in. If the agency manages the account, document the handover path so the client can regain control if the relationship ends.

MFA and recovery methods

MFA improves account security, but unmanaged MFA creates lockout risk. Confirm who controls the second factor and recovery route.

Review:

• Authenticator app ownership.
• Hardware key ownership.
• Recovery email.
• Recovery phone.
• Backup codes storage location.
• Shared mailbox or individual mailbox dependency.
• Emergency replacement process.

Do not weaken MFA for convenience. Instead, document the recovery path and make sure it does not depend on one unavailable person.

Billing contact and payment method

The registrar account may be accessible while renewal still fails because billing is stale. Agencies should not collect or store card details, but they should document who is responsible for checking payment status.

Confirm:

• Billing owner.
• Renewal invoice recipient.
• Payment method review owner.
• Whether auto-renew is enabled.
• Whether the client or agency pays the registrar.
• Whether finance approval is needed before renewal.

Auto-renew reduces risk only when payment, notices, and access are working. It is not a reason to skip review.

Renewal notices and notification emails

Renewal notices often reveal operational drift. If notices go to an old employee, personal email, previous vendor, or unmonitored mailbox, the agency may find out too late.

Use a role-based mailbox when possible, such as an operations or IT mailbox controlled by the client. If a personal mailbox is required, record a backup contact and review it during onboarding and annual renewal planning.

DNS provider separation

Registrar access does not always mean DNS access. Nameservers may point to a DNS provider, CDN, host, or previous agency account. A registrar access checklist should note whether DNS is controlled in the registrar or somewhere else.

Pair this with nameserver change monitoring, DNS monitoring for agencies, and DNS migration QA checklist when the domain is being migrated.

Emergency access path

For each critical client domain, define:

• Who can approve urgent registrar action.
• Who can log in.
• Who controls MFA.
• Who can contact registrar support.
• Who can verify ownership if support asks.
• Who communicates with the client.

This path should be written before a domain is close to expiry.

Access during employee or agency changes

Registrar access should be reviewed whenever the client changes IT staff, the agency changes account managers, or the client moves between vendors. Offboarding should include a formal domain handover step, not just website file delivery.

Use the client domain handover checklist when responsibility changes.

What to document without storing passwords

| Access area | What to confirm | Risk if missing | Review cadence | |---|---|---|---| | Registrar account owner | Client, agency, founder, or prior vendor | No one knows who can approve action | Onboarding and annual | | Admin users | Current people with access | Urgent action delayed | Quarterly for critical domains | | MFA owner | Person or team controlling second factor | Lockout during incident | On staff change | | Recovery methods | Email, phone, backup codes owner | Account recovery fails | Semiannual | | Billing contact | Person or team responsible for payment | Domain expires despite alerts | Before renewal window | | Renewal notices | Mailboxes receiving registrar messages | Warnings missed | Quarterly | | DNS provider | Where records are edited | Website/email changes blocked | On migration | | Emergency path | Approver and executor | Confusion during incident | Onboarding and offboarding |

Registrar access checklist

• Identify registrar.
• Confirm account owner.
• Confirm current admin users.
• Confirm MFA owner.
• Confirm recovery email and phone owner.
• Confirm backup-code process.
• Confirm billing owner.
• Confirm payment method review owner.
• Confirm renewal notice recipients.
• Confirm whether auto-renew is enabled.
• Confirm DNS provider and nameservers.
• Confirm who can unlock or transfer the domain.
• Confirm emergency approver.
• Confirm registrar support path.
• Record last review date.
• Assign unresolved access risks.

What public checks can confirm

Public checks may help identify registrar, nameservers, DNS records, SSL certificate status, and sometimes expiry-related data. They cannot confirm private registrar users, MFA settings, payment status, billing contacts, or the client’s legal authority to act. Treat public checks as visibility signals and registrar review as the source for private access details.

How CertPilot fits

CertPilot helps agencies track visible domain, DNS, SSL, and renewal-risk signals. It does not log in to registrars, update billing contacts, manage DNS hosting, or store registrar passwords. Use the agency audit and Health Check to find visible issues, then use the checklist to confirm private registrar-account details.

Related Resources

• Domain Ownership Audit for Agencies
• Client Domain Handover Checklist for Agencies
• Domain Expiry Monitoring for Agencies
• Domain Renewal Checklist for Agencies
• DNS Monitoring for Agencies

Frequently Asked Questions

What is a registrar access checklist?

A registrar access checklist is a structured review of who can access the domain registrar account, who controls MFA, who receives renewal notices, who handles billing, and what emergency path exists. It helps agencies reduce lockout and expiry risk without storing passwords in the wrong place.

Should agencies ask clients for registrar passwords?

Not as a default workflow. Agencies should use delegated access where available or a secure password manager when client-approved credential sharing is necessary. The checklist should document ownership, access roles, MFA ownership, and recovery paths rather than placing passwords in project notes or client reports.

Does registrar access mean DNS access?

Not always. DNS may be hosted at the registrar, but it may also be hosted at a DNS provider, CDN, website host, or previous agency account. Registrar access lets you manage registrar-level settings, but DNS changes require access to the provider serving the active nameservers.

How often should registrar access be reviewed?

Review registrar access during onboarding, before renewal windows, before migrations, after staff changes, and during offboarding. Critical client domains should have a more frequent review cadence because a single lockout can affect website, email, DNS, and recovery work.

Can CertPilot update registrar billing contacts?

No. CertPilot does not log in to registrar accounts and does not update billing contacts, payment methods, registrar users, or DNS records. It helps agencies track public signals and reporting workflows, while registrar account details still require manual review in the registrar.

Is auto-renew enough to remove domain risk?

No. Auto-renew can reduce risk, but it does not prove the payment method is valid, notices are monitored, the registrar account is accessible, or the domain will never require manual action. Agencies should still document access, billing owner, and renewal notification paths.