The National Internet Exchange of India (NIXI), which manages the .IN country code top-level domain (ccTLD), rolled out a series of mandatory policy changes in 2026 that fundamentally reshape how .IN domains are registered, verified, and maintained. These updates apply across all .IN, third‑level .IN, and .BHARAT domain names, touching registrations, renewals, transfers, and contact modifications. The stated goal is to bolster cybersecurity, reduce fraudulent registrations, and create a transparent digital ecosystem in India.

Below is a breakdown of each major change and what it means for registrants.

Mandatory e-KYC Verification

The centerpiece of the 2026 reform is mandatory Electronic Know Your Customer (e-KYC) verification. Every registrant — whether individual or organization — must now complete identity verification through a government‑approved platform. For Indian residents, this is generally done via DigiLocker using Aadhaar, PAN, or Passport. Foreign entities are required to submit verified passport copies and a signed declaration that establishes a legitimate business or personal connection to India.

The e-KYC requirement kicks in for new registrations, renewals, transfers, and even contact modifications. Registrants have a limited window — 15 days in most implementations — to complete verification. Domains that remain unverified beyond this window are suspended until compliance is achieved. Notably, the verification is not a one‑time exercise; it must be repeated at each renewal cycle.

Indian Registrants Only

One of the most far‑reaching changes is the restriction of .IN domains to Indian registrants only. Since January 27, 2026, all new registrations, transfers‑in, and contact modifications must show India as the registrant country. Non‑Indian individuals and organizations that already held .IN domains were required to migrate their registrations or risk suspension.

This shift has generated significant pushback from international domain holders who suddenly found their existing .IN domains seized. However, NIXI has held firm, citing data‑privacy constraints and the need for a nationally anchored domain space.

Ban on Temporary and Encrypted Email Providers

To prevent anonymous, throwaway registrations, NIXI has prohibited the use of disposable and certain encrypted email services for registrant contacts. The restricted list includes well‑known temporary services such as Guerrilla Mail, 10 Minute Mail, Temp Mail, Mailinator, and EmailOnDeck, as well as encrypted providers like ProtonMail, Tutanota, Mailfence, Hushmail, and StartMail.

All registrant email addresses must now be permanent, verifiable, and accessible. Registrars are required to block domain registrations or contact updates that use prohibited email domains.

VPN Restrictions and Real IP Capture

NIXI now mandates that the registrant’s actual IP address be captured at the moment of domain registration. The use of VPNs, proxy services, or any masked IP is strictly prohibited. Registrars are instructed to display a warning in the registration workflow advising customers to disable VPNs. Domains registered through masked IP addresses face potential suspension or outright deletion by the registry.

The logic is straightforward: authentic IP data helps the registry trace malicious actors and deter automated bulk registrations used for phishing and scam campaigns.

End of WHOIS Privacy Services

In a decisive move toward total transparency, NIXI has banned WHOIS privacy and proxy services for .IN domains. Henceforth, the registrant’s name, city, and state will be openly visible in the public WHOIS database. This ensures that domain owners are accountable and can be contacted for legal or technical matters. For registrants accustomed to shielding their personal details, this is a significant privacy trade‑off.

AI‑Driven Fraud Detection at the Registry Level

Beyond the administrative rule changes, NIXI has deployed an artificial intelligence system designed to identify fraudulent or suspicious domains at the point of registration — not after victims have been harmed. The four‑layer detection engine scans the domain name for typo‑squatting and impersonation patterns, analyzes bulk registration networks, inspects website content for credential‑harvesting interfaces, and monitors behavioral signals such as traffic flows and redirection chains.

According to NIXI, in the first six months of early implementation, this system identified and neutralized over 24,000 fraudulent websites, protected more than two million users, and reduced response times to under one hour from registration. A standout example cited was the detection and blocking of 143 fake State Bank of India websites before any victims were targeted.

What This Means for Domain Holders

The 2026 NIXI rules represent a substantial tightening of the .IN domain regime, exchanging convenience for security and national accountability. For legitimate Indian businesses and individuals, the new framework reinforces the credibility and trustworthiness of the .IN extension. For international users and those who valued privacy, the changes have made .IN a far less accessible domain space.

Compliance is now an ongoing obligation. Missing the KYC deadline, using a prohibited email, or registering behind a VPN can lead to domain suspension. As NIXI continues to layer AI‑driven monitoring onto these policy changes, the .IN registry is positioning itself as one of the more actively governed ccTLDs globally — a model rooted in the belief that security must begin at the very first step of a domain’s life.

Some data may be wrong. The information is based on general researches in internet. Weniba doesn't guarantee for correctness. Weniba doesn't take responsibility for wrong information.