As the next ICANN New gTLD Program approaches, many brands are taking stock of how they manage and protect their domain name footprint. For organisations that have spent years dealing with phishing, impersonation and domain misuse, this is familiar territory. Domain name abuse itself is not new, but the domain name system continues to expand, and with it the number of places attackers can operate. That makes this a sensible time to revisit whether existing strategies are still doing the job.
In practice, the discussion usually comes down to two broad options:
1. Continuing with a traditional defensive domain strategy, registering or blocking domains across a growing number of extensions to limit third-party misuse.
2. Stepping back to assess whether a Brand gTLD makes sense, placing the brand at the top level of the domain name system and changing how domains are created and controlled.
Both approaches are already used by established organisations. Each carries different trade-offs in terms of governance, cost, ongoing effort and long-term effectiveness. This blog aims to outline those differences and provide a practical, experience-led view to help organisations assess which approach best fits their needs as the domain name landscape continues to evolve.
What Is a Defensive Domain Strategy?
Many brands accumulate hundreds, sometimes thousands, of domain names over time in an effort to protect their brand from online infringement. This defensive approach, while well-intentioned, is largely reactive and becomes increasingly difficult to sustain as the domain name landscape continues to expand.
A defensive domain strategy focuses on registering domain names that are likely to be abused, including common misspellings, brand-plus-keyword combinations, new gTLD variants, and country-code extensions. These domains are typically redirected to a primary site and supported by domain monitoring and takedown services.
This approach remains popular because it is fast to deploy and relatively low cost upfront. However, defensive strategies are inherently reactive. As new gTLDs are introduced and attackers adapt, the attack surface grows, increasing the volume of domains to monitor and enforce.
A typical defensive portfolio includes:
- Core Domain Name: The core domain name (e.g.
apple.com) is the primary trust anchor for an organisation and controls critical services. - Regional ccTLDs: are registered to protect local brand presence, serve localised content and prevent country-specific impersonation and fraud.
- DPML and Global Block: Are used to proactively prevent third-party registration of brand-related domains across large numbers of new TLDs.
- Cybersecurity Domains: Are defensively registered to prevent abuse of high-trust strings commonly used in phishing and scams.
- TMCH & Rights Protection: Used to secure priority registrations, claims notices, and enforcement rights across new gTLD launches.
- Blockchain Domains: Are registered defensively to mitigate impersonation risks in decentralised naming systems.
- Brand Protection: Domains registered to protect a brand from 3rd part registrations.
- Typo Domains: Typo domains are registered to reduce the risk of user error being exploited for phishing or scam related purposes.
- Strategic Domains: Are held to protect executive names, internal projects, product codenames, and future initiatives.
What does a new gtld (.brand) domain name strategy look like?
As defensive domain portfolios grow in size and complexity, many brands are beginning to ask whether there is a more structural way to deliver trust online.
Simplicity: Rather than accumulating large numbers of domains across third-party extensions, it focuses on clarity, brand consistency, and direct control at the top level of the domain name system.
Secure. These namespaces are typically closed, meaning no third parties can register domains within them. This immediately removes an entire class of phishing and impersonation risk at the DNS layer.
Non-restricted opportunity. Availability is no longer a constraint. Brands can create clear, logical domain structures, whether that is product-based domains such as mac.apple or ipad.apple, regional structures like au.apple, or functional uses such as investor.apple. The result is a simpler, more intuitive domain hierarchy that closely reflects how the organisation actually operates.
Not just a marketing exercise, Importantly, brands that have adopted gTLDs have not treated them as marketing exercises or wholesale replacements. Instead, they have taken a measured, use-case-driven approach. Financial institutions such as BNP Paribas and Barclays secured their brand gTLDs to ensure exclusive control of their names at the top level of the internet, using them selectively for trusted digital touchpoints rather than public registration.
Duel Approach. Other global brands have followed a similar, gradual adoption model. Automotive manufacturers and insurers introduced their gTLDs first in high-trust or high-risk scenarios, such as secure customer communications, authentication flows, or controlled brand experiences. In most cases, legacy domains continue to operate alongside the brand gTLD for many years.
Trust Anchor. Over time, the role of the Brand gTLD becomes that of a trust anchor. It provides a space where customers can be confident they are dealing directly with the brand, not an impersonator. As that confidence grows, reliance on large defensive domain portfolios can be reduced, and enforcement activity becomes more targeted rather than constant.
Governance. What distinguishes successful Brand gTLD strategies is governance. These namespaces are treated as long-term infrastructure, with clear rules around who can create domains, how they may be used, and what security standards apply. This discipline is one of the primary reasons closed brand gTLDs have historically experienced almost no abuse.
Transitioning to the .brand domain name is not a quick or easy thing
Moving to a Brand gTLD is not a switch-over exercise, it is a deliberate, staged transition that touches technology, security, marketing, and customer trust. Brands that approach it as a one-off migration often underestimate the effort. Those that succeed treat it as a long-term infrastructure programme.
Operating a Brand gTLD carries ongoing governance, registry, and compliance obligations that extend well beyond initial deployment. The registry must meet ICANN contractual requirements, including regular reporting, audits, data escrow, abuse handling, and adherence to DNS stability and security standards. In parallel, brands must maintain internal governance frameworks that define permitted use cases, domain lifecycle management, security controls, and accountability for compliance. Registry maintenance, typically delivered through an accredited registry service provider, includes DNS operations, resilience, monitoring, and incident response. These obligations are continuous rather than episodic, requiring sustained oversight and budget allocation to ensure the gTLD remains secure, compliant, and aligned with evolving ICANN policies and threat conditions.
.bnpparibas case study
BNP Paribas adopted its .bnpparibas brand gTLD as part of a long-term trust, security and digital-governance strategy rather than a marketing exercise. As a global financial institution operating in a high-risk threat environment, the bank recognised that traditional defensive domain strategies, registering hundreds or thousands of third-party TLDs, were increasingly expensive, reactive and ineffective against phishing and impersonation. A closed brand gTLD allowed BNP Paribas to take exclusive control of its namespace at the top level of the DNS, eliminating third-party registrations entirely and materially reducing customer-facing fraud risk. It also provided a clear trust signal, any site ending in .bnpparibas is, by definition, operated by the bank.
The transition was executed in a controlled, phased manner. BNP Paribas did not abandon its legacy .com and ccTLD infrastructure overnight. Instead, it selectively deployed the .bnpparibas domain for high-value, trust-sensitive use cases, customer communications, secure services and future-facing digital platforms, while maintaining redirects and coexistence during the migration period. This approach minimised customer disruption, preserved SEO equity and allowed internal teams to adapt systems, certificates, email policies and governance processes over time. Today, the brand gTLD functions as a strategic security layer and a future-proofed foundation for the bank’s digital identity, rather than a wholesale replacement driven by short-term marketing goals.
What strategy is the best approach for enterprise brands?
Defensive domain strategies have played an important role in protecting brands over the past two decades. They will remain necessary in an expanding domain name ecosystem, particularly as new gTLDs, emerging abuse vectors such as blockchain domains continue to appear. However, they are, by nature, reactive and increasingly complex to manage at scale.
Brand gTLDs represent a fundamentally different approach. Rather than attempting to defend a brand across hundreds or thousands of third-party namespaces, they allow organisations to establish a trusted, brand-controlled environment at the top level of the internet. When deployed thoughtfully, alongside existing domains, a Brand gTLD can simplify domain portfolios, reduce enforcement burden, and embed trust directly into the domain name itself.
This is not a decision every brand needs to make immediately, nor is it a one-size-fits-all solution. But as the next ICANN New gTLD Program approaches, it is a decision that warrants deliberate consideration, particularly for brands with high visibility, persistent impersonation risk, and a long-term view of digital trust.
For many organisations, the most pragmatic path forward is not an abrupt shift, but a phased strategy, continuing defensive domain management today while assessing whether a Brand gTLD should form part of their future domain and trust architecture.
As part of this process, brands should begin assessing their readiness, cost profile, governance capability, and strategic objectives to determine whether a Brand gTLD is an appropriate next step.
Learn more about new gtld programme today
About brandsec
brandsec is a team of highly experienced domain name management and online brand protection experts. We provide corporate domain name management and brand enforcement services, helping brands eliminate phishing platforms across the internet. Supporting some of the largest brands in the region, we offer innovative solutions to combat threats across multiple industries.
