The domain name registration business is, by design, one of the most friction-free transactions the internet has produced. A few keystrokes, a few hundred rupees, and a name is yours — no verification, no cross-reference against existing trademarks, no pause between the search and the purchase. The system works on volume. And on volume it has always worked rather well, for everyone including those whose interest in acquiring a domain is not, by any stretch, legitimate.

For years, when a fraudster registered dabur-franchise.in or daburdistributor.com and proceeded to solicit money from unsuspecting dealers, the legal position was tolerably clear: pursue the registrant. The registrar — GoDaddy, BigRock, Tucows, whoever processed the paperwork — was an intermediary, and Section 79 of the Information Technology Act gave intermediaries a safe harbour so long as they maintained due diligence. What the registrar did not do, on this analysis, was choose which names got registered. It was a pipe, not a publisher, and the law treated it accordingly.

The Delhi High Court's December 2025 judgment in Dabur India v. GoDaddy does not dismantle that safe harbour. What it does, which is considerably more consequential, is draw a line around the part of the business that the safe harbour never covered: the auto-suggestion engine.

Where the Law Had Stopped Short

When a user types "dabur" into the search bar of a domain registration platform, the platform does not merely report availability. It proposes alternatives — dabur-dealer.com, daburindia-franchise.net — as available, as purchasable, as the obvious next step. Justice Prathiba M. Singh's finding was that this is not passive conduct. A registrar that actively surfaces infringing variants for purchase has, in that moment, crossed from facilitation into participation. The due diligence obligation under Rule 3(1)(b)(iv) of the Intermediary Guidelines requires something more than processing whatever a user requests; it requires not generating the request itself. The safe harbour — conditional as it has always been on that due diligence — falls away where the registrar is the one indexing the fraud.

The record before the court went on to make the nature of the problem visible. Dabur had found that scammers built a string of lookalike websites, collected money posing as its franchise team, and disappeared before anyone could trace the trail. The registrars impleaded — along with ICANN, GoDaddy, MeitY, MHA, and the Reserve Bank of India — were shown to have operated auto-suggestion engines that actively proposed infringing variants at the moment of search. They were not neutral conduits. They were the mechanism by which the scam was seeded.

What the Court Held

Justice Prathiba M. Singh drew the line precisely: a registrar that facilitates registration of infringing domains — particularly one that suggests infringing alternatives through automated tools — cannot claim Section 79 safe harbour. The safe harbour is conditional on due diligence. A registrar that suggests the infringement has breached that duty and becomes liable as an infringer itself, including for damages.

On process, the court issued a "Dynamic+" injunction — extending automatically to future mirror domains of Dabur's marks without requiring a fresh suit for each new variation — a structural fix to what had been a structural problem, because scammers have always moved faster than the filing counter. The 72-hour data disclosure mandate, requiring registrars to produce registrant names, addresses, and payment details within three days of a legitimate complaint, closes the trace window within which the money typically disappears.

Why the Ruling Changes the Terrain

The practical consequences go on to reshape the economics of enforcement against mass cybersquatting in ways that brand owners will find significant and registrars will find uncomfortable. For brand owners, a single successful suit now covers every future variation of the scam. For banks and the RBI, the judgment's directions on coordinated KYC for accounts linked to flagged domains signal that the growing expectation is a joined-up fraud-detection chain — not a series of isolated institutions each doing the minimum.

For registrars, the ruling creates an immediate compliance question. Auto-suggestion tools, which have been a revenue-generating feature of the business, are now also a liability trigger. The mechanism that recommended the infringing domain is, from the date of this judgment, evidence of the infringement — not a neutral product feature that happened to be misused.

The deeper significance of the ruling lies in what it says about the limits of the neutral-conduit argument in an economy where platform algorithms make choices that look passive but are not. Suggestion is not neutrality. The moment a platform recommends a course of action, it has taken one. The law, slowly and then all at once, is beginning to say so.

The Takeaway

If your brand has been impersonated by a lookalike domain used to collect money from customers or dealers, the path to enforcement is now shorter and broader. The registrar's auto-suggestion engine is no longer a defence — it is evidence.

For the registrars themselves, the era of claiming to be neutral conduits ended the day this judgment was delivered.