MSP Domain Watch
Features Pricing Partners How It Works Blog About Contact
Log In Start Free Trial
Back to Blog

How to File a Domain Takedown Request: A Step-by-Step Guide

2026-02-20 | MSP Domain Watch Team

When a Takedown is Necessary

You have discovered a domain that is impersonating your client's brand. Maybe it is hosting a phishing page, sending fraudulent emails, or simply parked and waiting to be weaponized. Whatever the situation, the next step is clear: get it taken down.

Filing a domain takedown request is a structured process. Registrars and hosting providers have abuse policies and dedicated contacts for handling reports of malicious domains. The key to a successful takedown is providing clear, well-organized evidence that makes it easy for the abuse team to verify the threat and act on your request.

Here is how to do it, step by step.

Step 1: Gather Your Evidence

Before you contact anyone, document everything. The strength of your takedown request depends on the quality and completeness of your evidence. Collect the following:

Screenshots. Capture the lookalike domain's website, especially if it imitates your client's branding, login pages, or corporate identity. Include the browser address bar showing the full URL. Use timestamps on your screenshots or a tool that records the capture time automatically.

DNS records. Record the domain's A, MX, NS, and TXT records. MX records are particularly important because they show the domain is configured to send or receive email, which is a strong indicator of phishing intent.

WHOIS data. Pull the WHOIS registration record for the domain. Note the registration date, registrar, and any registrant contact information that is available. A recently registered domain that closely resembles your client's brand is a strong signal.

Email headers. If phishing emails have already been sent from the lookalike domain, preserve the full email headers. These contain the sending server's IP address, SPF/DKIM results, and routing information that support your abuse claim.

Side-by-side comparison. Place your client's legitimate domain and branding next to the lookalike to make the impersonation visually obvious. This helps the abuse team understand the threat quickly.

Step 2: Identify the Registrar and Hosting Provider

Use a WHOIS lookup service to determine which registrar the domain is registered through. Common registrars include GoDaddy, Namecheap, Cloudflare, Google Domains, and Tucows. The WHOIS record will list the registrar's name and usually include an abuse contact email.

If the domain is actively hosting content, you may also want to identify the hosting provider. Tools like DNS lookups and IP geolocation can help you trace the web server. You can file abuse reports with both the registrar and the hosting provider simultaneously to increase the chances of a quick resolution.

Most major registrars publish their abuse contact information on their websites. Look for pages titled "Report Abuse," "Abuse Policy," or "Phishing Report." Some registrars also accept reports through standardized abuse reporting forms.

Step 3: Write Your Abuse Report

Your abuse report should be professional, factual, and well-structured. Include the following:

Subject line. Make it clear and specific: "Abuse Report: Domain Impersonation / Phishing — [lookalike-domain.com]"

The infringing domain. State the exact domain name you are reporting.

The legitimate domain. State your client's real domain and briefly describe their business.

Description of the abuse. Explain how the domain is being used maliciously. Be specific: is it hosting a phishing page, sending fraudulent emails, impersonating a brand, or a combination?

Evidence. Attach or link to your screenshots, DNS records, WHOIS data, email headers, and side-by-side comparisons. The more organized your evidence package, the faster the abuse team can act.

Requested action. Clearly state that you are requesting the domain be suspended or taken down due to its use in impersonation or phishing.

Your contact information. Include your name, organization, email address, and phone number so the abuse team can follow up if they need additional information.

Step 4: Submit the Report

Send your abuse report to the registrar's designated abuse contact. Most registrars accept reports via email (typically [email protected]), a web form, or both. If the domain is also hosting malicious content, submit a separate report to the hosting provider's abuse team.

Keep copies of everything you send, including timestamps. You will need these for follow-up.

Step 5: Follow Up

Registrars typically respond within 24 to 72 hours for clear-cut phishing cases, but response times vary. If you have not received a response within 5 business days, send a follow-up email referencing your original report and any ticket or case numbers you were given.

If the registrar is unresponsive or declines to act, you have additional options:

  • Report to ICANN. File a complaint with ICANN if the registrar is not following its abuse handling obligations.
  • Report to the hosting provider. If you have not already, contact the hosting provider separately.
  • Report to Google Safe Browsing. Submit the domain to Google's Safe Browsing report so browsers will warn users before visiting the site.
  • UDRP filing. For persistent cases, a Uniform Domain-Name Dispute-Resolution Policy (UDRP) proceeding can force a domain transfer, though this is more expensive and time-consuming.

How MSP Domain Watch Automates This Process

If you manage domain security for multiple clients, the process described above quickly becomes time-consuming at scale. For each threat, you need to gather evidence, look up registrar contacts, draft a report, submit it, and track follow-ups — across every client, every domain, every detected threat.

MSP Domain Watch automates the entire takedown workflow. When a threat is confirmed, a single click generates a complete evidence package, identifies the registrar's abuse contact from a curated database, drafts a UDRP-compliant abuse report, and submits it. The system tracks the status of every takedown request and sends automated follow-up emails at configurable intervals until the issue is resolved.

Every step is logged with a full audit trail, giving you documentation for client reports and QBRs that shows exactly what was detected, when action was taken, and how the threat was resolved.

Instead of spending hours per takedown, your team can initiate and track takedowns across your entire client base from a single dashboard.

Protect your clients from domain impersonation

Start monitoring for lookalike domains with a free 7-day trial.

Start Free Trial