Enforcement Advisory – Notice for Domain Name Registrars

The purpose of this advisory is to promote compliance with Canada’s Anti-Spam Legislation (CASL)^{Footnote 1} in the Canadian domain name registration space. Specifically, it outlines the responsibilities of Canadian domain name registrars (registrars) under CASL and recommends best practices for addressing anti-CASL activities.^{Footnote 2} This advisory builds on previous guidance set out in Compliance and Enforcement Information Bulletin 2018-415. It contributes to protecting Canadians from unsolicited commercial electronic messages by encouraging registrars to adopt compliance measures that can detect, prevent, and disrupt potential CASL violations.

Why domain name registrars?

CASL prohibits sending unsolicited commercial electronic messages (commonly referred to as spam), altering transmission data in electronic messages without consent, and installing computer programs without consent. An organization or individual can also be found liable if they provided aid during these activities.

Information available to the Canadian Radio-television and Telecommunications Commission suggests that some domain names used for phishing^{Footnote 3} may be purchased directly from registrars.^{Footnote 4} In such cases, the domains often include, or closely resemble, the names of trusted organizations, such as financial institutions or other commercial entities. These lookalike domains are then used to set up fake websites and email accounts that make phishing messages appear legitimate to unsuspecting users.

Registrars are therefore uniquely positioned to address certain anti-CASL activities including the sending of phishing messages that are commercial in nature. The domains they sell can be used to host fake websites that users are directed to when they click on hyperlinks in phishing messages. As key intermediaries in the domain name ecosystem, registrars are well-placed to identify domain registrations linked to phishing or spam campaigns targeting Canadians. By implementing best practices, registrars can help detect, prevent, and disrupt potential CASL violations and reduce the harm they cause Canadians.

How are registrars potentially liable under CASL?

While registrars are not directly responsible for the actions of their clients, they may nonetheless be held liable under section 9 of CASL if their services are found to have enabled or facilitated contraventions of sections 6 to 8. This includes cases where registrars knowingly or negligently allow the registration and continued use of domains linked to phishing or other CASL-prohibited activities.

Section 9 prohibits any conduct that aids, induces, procures, or causes to be procured the doing of any act contrary to any of sections 6 to 8. Accordingly, registrars are expected to take reasonable steps to prevent the misuse of their services for purposes that contravene CASL. Those who fail to do so may face enforcement actions under CASL, including warning letters or notices of violation with administrative monetary penalties.

How may registrars ensure compliance with CASL?

Registrars may ensure compliance with CASL by exercising due diligence. Such due diligence, along with the adoption of effective safeguards, can minimize registrars’ involvement in CASL violations. This includes the development and implementation of a documented compliance program. General guidance and best practices on developing a compliance program can be found in Compliance and Enforcement Information Bulletins 2014-326 and 2018-415.

Registrars vary in size, resources, and service offerings. As such, each organization’s compliance program will be unique and tailored. However, in all instances, a credible and effective program should include fundamental safeguards to prevent, detect and respond to potential compliance issues with CASL, whether detected internally or via alerts received from third parties.

In accordance with industry best practices in this domain, as set out in the documents and bulletins referenced below, corporate compliance programs may include: client vetting procedures; safeguards to protect client accounts; effective mechanisms for reporting anti-CASL activities; timely and proportionate mitigation actions when anti-CASL activity is detected; reporting of malicious domain registrations to the relevant authorities; and record-keeping procedures to demonstrate that compliance measures are in place and actively implemented.

Registrars are encouraged to exercise due diligence and follow best practices in support of a collective effort to protect Canadians from phishing and other unsolicited commercial electronic messages.   

Related documents

• Guidelines to help businesses develop corporate compliance programs, Compliance and Enforcement Information Bulletin CRTC 2014-326, 19 June 2014
• Guidelines on the Commission’s approach to section 9 of Canada’s Anti-Spam Legislation, Compliance and Enforcement Information Bulletin CRTC 2018-415, 5 November 2018
• The M3AAWG DNS Abuse Prevention, Remediation, and mitigation Practices for Registrars and Registries;
• The M3AAWG Best Practices to Address Online, Mobile, and Telephony Threats;
• The SSAC Measures to Protect Domain Registration Services Against Exploitation or Misuse; and
• The APWG Anti-Phishing Best Practices Recommendations for Registrars.

Date modified:

2025-09-25