Squarespace sold me a domain then threatened my account for owning it
A photo of my dog, Murphy.
What would you do if you lost access to your email account? What would your next few days or weeks look like? My email is the key to virtually everything I do online: banking, credit card payments, social media, and communication. Those are just the big things, but the long tail is… well, long. If I lost my email, I can only imagine the effort it would take to get everything back in working order, if I could.
My primary email is on my own domain, which until fairly recently was registered through a Squarespace Domains account. Upon registering a new, unrelated domain, Squarespace decided I violated their policy against deception and impersonation, then threatened repeatedly to suspend my entire account. This threat came after they charged me for the domain, yet before I’d even configured DNS.
I cannot afford to lose access to this domain and consequently to my primary email. I am writing this simply as a warning, maybe as a kick in the butt, to those who use Squarespace as their registrar. It’s not worth tying something so fundamental to a registrar that threatens to enforce their policies in such a heavy-handed manner.
Why I used Squarespace in the first place
For years I was a happy customer of Google Domains, and they were my first choice to register numerous domains. I was sad to hear the news of their sale to Squarespace in 2023, but I decided to let my domains roll to Squarespace primarily out of laziness and convenience. Beyond pricing, I figured what’s the difference between one registrar and another? Squarespace’s pricing wasn’t bad and I liked keeping my domains under one roof, so I continued registering domains through them.
Quick note on steamcommunity domains
The specific domain I purchased is relevant, so I’ll describe it briefly. Steam (the game distribution service) surfaces user profiles on URLs like `steamcommunity.com/profiles/12345`. Many non-affiliated services provide insight into a Steam user’s data, game history, match performance, etc. for various games. For example, Leetify (arbitrary example) provides in-depth overviews of a Steam user’s Counter Strike 2 match history and other relevant data.
There are more than a handful of these non-affiliated services that have registered domain hacks to make it easy to jump from a Steam user profile to a page on their own site. Using the same example as above, changing the TLD in `steamcommunity.com/profiles/12345` to `steamcommunity.gg/profiles/12345` provides users with a shortcut to jump to a user’s Leetify profile. The intention is not deception, but rather to give a user a shortcut versus copying and pasting the profile URL.
My experience
I have a small, rarely used website which expands on Steam profile data. I wanted to purchase a “steamcommunity.example” domain to use as a shortcut to my site, so I went to Squarespace where I still kept most of my domains. I purchased the domain, was charged by Squarespace, got a confirmation email, saw the domain in my account, and even received an ad from some design firm that reached out via the whois info. I didn’t set up DNS yet, but I assumed the domain was mine.
Fast-forward a couple weeks and I realized the domain was no longer in my account and I’d been refunded. I reached out to support to inquire.
They replied: “We have determined that you are currently in violation of Section 3 of our Acceptable Use Policy (https://www.squarespace.com/acceptable-use-policy/) regarding activity that's false, fraudulent, inaccurate or deceiving.” In this same email, still the first email after verifying who I was, they included their first threat against my account: “Please note that we reserve the right to suspend your Account at any time and for any reason, and to enforce our Acceptable Use Policy in our sole discretion.”
I tried to clarify my intention, to explain the common practice of domain hacks on steamcommunity.com, and to ask how I’d violated the policy without even setting up the DNS. They’d sold me the domain and I hadn’t used it for anything yet. I asked how I could avoid this in the future without any additional information on how they enforce their policies.
To that, they responded “I recommend reviewing the terms here: https://www.squarespace.com/acceptable-use-policy/ We reserve the right to suspend your Account at any time and for any reason, and to enforce our Acceptable Use Policy in our sole discretion.”
This reads to me as a threat against my account. This left me genuinely worried that I’d lose my primary domain, my primary email, and consequently access to my entire digital life. I moved my domains away from Squarespace that day to a registrar that’s hopefully friendlier, or at least less opaque and heavy-handed with the enforcement of their policies.
What am I trying to say? Why write this post?
My goal is not to say I’m in the right or to argue that a domain hack can’t be used for deception. They obviously can and are used in that way. I don’t even have a problem that Squarespace has a policy against this. The things that bother me the most are:
- Squarespace sold me the domain. If this is their policy, why not just block the sale?
- Squarespace repeatedly threatened my entire account. The account that holds the domain controlling my entire digital life. I found this to be a genuinely frightening experience.
If you’re like me and you let your domains roll into Squarespace without thinking about it, or if you’ve used Squarespace to register domains because you built your website with them, maybe it’s time to consider another registrar. I moved 6 domains out of Squarespace and it only took about 30 minutes. Is 5 minutes per domain worth sticking with a company like Squarespace?
Notes
I don’t appear to be the only one. A single search yielded multiple cases of domains being suspended without explanation or Squarespace-linked Google Workspace accounts being suspended without response or recourse. This just seems to be Squarespace’s way.
For those who want it, I’ve uploaded my email transcript with Squarespace. I’ve removed the back-and-forth verifying myself with my bank info, and I’ve replaced the exact domain I purchased with “[steamcommunity.example]”. I’m fully aware that it’d be easy to determine which domain I purchased with this info, but I've used a placeholder in the hopes I’ll still be able to acquire the domain when it expires this year.