I use both Gandi and Namecheap for my domains.
I think both providers are nice; however, there are some differences.
- Usually cheaper (as the name suggests)
- Higher security (in my opinion, I’ll get to that)
- Two free email accounts for your domain (“full/real” accounts to send and receive, including IMAP, POP, SMTP and webmail)
- Better support for European and “foreign” country domains (Namecheap does not support some of the TLDs that Gandi does, like e.g. “.be” for Belgium)
- Gandi has their seat in the EU (important to some people)
Both companies seem to offer high security, both offer 2FA with hardware security keys (but they also offer TOTP).
However, Namecheap emails me for *everything* that happens, as a security log. It lets me know when there was a log-in, a change of setting or anything. When I changed the email address on Namecheap recently, I had to first confirm ownership of the old email address, which is good because this solves the problem of someone taking over your account (if they somehow manage to sign in) by changing email addresses.
Gandi Security (Opinion/Questioning)
With Gandi, I don’t get any notifications for account activities. I can simply change my email address. I can send them a letter to disable 2FA.
To disable 2FA, you have to send Gandi a signed letter with your details, and a copy of your ID, to verify your identity.
However, here’s the thing though: Gandi doesn’t have my signature on record, Gandi doesn’t know my nationality, Gandi doesn’t know my ID number, Gandi has absolutely nothing on record except for my address. They have nothing to verify against. I feel like anyone could potentially forge an ID, with a photo of anyone on it, and any ID number, and any signature.
If you know me, know my name and address, you could potentially send them a forged letter, couldn’t you? And I don’t know how Gandi could potentially verify whether it’s real or not.
But that doesn’t mean they don’t take security seriously, I do believe that they do, but this is one thing that makes me feel uneasy with them. But I also understand that, if you lose access to your account, you could potentially lose access to your domains. No one wants that. So, it makes sense to have a recovery option. But at the same time, I feel like 2FA should maybe not have this sort of recovery option because you can never be sure if it’s the real person? Unless, of course, they have your ID and all on record. But I wouldn’t be happy if they’d start demanding a copy of my ID, and other info, either. In fact, I’d move right away from them. Because I don’t feel like a domain registrar should have this sort of information (potential for breaches and leakage). To be clear, they don’t ask for this info, I was merely speaking about the security considerations, and using hypotheticals.
So, I don’t know what to think of this. I guess it makes sense to have this recovery option but also not?
I guess I can rest at ease, knowing that I have such a ridiculously long password for Gandi (it’s randomly generated), that no one could brute-force it, even with 2FA disabled?
Let me know your thoughts.
Namecheap is in the USA, while Gandi is in Europe, more specifically France, and more relevantly, the EU. Companies in the EU have to abide by the GDPR to give strong privacy, while companies in the USA do not. I mean, technically they have to abide by the GDPR for EU customers, but it’s questionable whether this can be enforced if the company has no seat in the EU whatsoever. I’m no legal expert, it’s just a thought I had.
However, this does not mean that Namecheap can’t be trusted or that they have bad privacy practices. It’s just that some people would prefer not to deal with a US company due to privacy concerns, so I wanted to bring that up.
I do not receive newsletters or spam with either of them. My inbox remains clean, except for Namecheap security notifications, but these are expected and desired.
So, you can give your email address to both of them without having to worry. If you ever receive a newsletter, you can simply unsubscribe.
Other than the above security concern, I’m happy with Gandi, I do feel they’re a bit overpriced, but that’s perhaps to cover the costs of the “free” email accounts? And perhaps they just have higher costs as European company (versus US company)?
But, they’re still reasonably priced compared to others I’ve seen. So, I won’t complain. I just wanted to let you know this aspect.
I think Namecheap is a solid choice, especially for “American” domains, as they offer them for a much better price. However, you miss out on the included email accounts, and need to host this elsewhere, usually at extra cost. Some people would prefer not to deal with a US company, in which case Gandi might be the better choice.
Both are solid choices. It depends on whether you care for the company to be in the USA or EU. Compare prices, check if the email hosting at Gandi and EU seat is worth the extra price, or if you simply prefer to go with the cheaper solution at Namecheap, even if it means US company and no email hosting.
I’m with both, and I’m happy with both.
Gandi has one strong advantage over the other providers ─ You do not need to be logged in to renew a domain. In fact, you don’t even need to own it if you want to renew a domain registered with them.
For a personal domain this matters little, but for non-profit associations and open source projects, this means you can have anyone renew the domain without paying extra or sharing login details.