Koen Rouwhorst

For your business-critical domains, move to a well-established registrar that supports registry locks (CSC, MarkMonitor, Cloudflare). Configure multi-party authorization for unlocking, so no single individual can approve changes. Use role-based contacts, not personal emails. Enforce phishing-resistant MFA. And set auto-renewal with a multi-year buffer. These controls have been around for many years. They are just underused.

You can easily check this for your own domains. Do a whois lookup and check the domain status fields. Statuses starting with "client" (e.g. clientTransferProhibited) are set by the registrar and can be removed by the registrar. Statuses starting with "server" (serverDeleteProhibited, serverTransferProhibited, serverUpdateProhibited) are set by the registry and can only be removed through the out-of-band process described above.

Domain registrars may be one of the most overlooked single points of failure in our stack. We spend serious time and resources securing our cloud infrastructure and workloads, but our domain registrars rarely get the same level of scrutiny. Even though our domains underpin everything we operate. 🧵

We're looking for a new batch of beta testers for Framer with Claude / Codex. If we missed you the first time, feel free to enter again. x.com/koenbok/status…

Shipping a pallet from across the planet into Amazon's network: $2,400. Moving it to a FedEx warehouse across the street: $132,000 in egress fees.

What if Y Combinator built GitHub?

@julian_kalume @framer This is a good starting point: knowledge.workspace.google.com/admin/security…. You need to get a Verified Mark Certificate (VMC).

@koenrh @framer How to get this as company please ?

All @framer emails now show a verified logo and blue checkmark in supporting inboxes like Gmail. Here is what is behind that little checkmark. 🧵

@monmichalczyk @framer 🥳

Celebrating 7 years at @framer!

All @framer emails now show the verified logo across Gmail, Apple Mail, Fastmail, and Yahoo. This is first and foremost a nice trust signal for our users. When an email claims to come from Framer, the verified logo lets them know at a glance that it actually does.

The standard method for organization validation is a phone call to a publicly listed phone number. Framer is a remote-first company. We are incorporated in the Netherlands and have an office there, but no fixed phone line. So we asked legal to draft a legal opinion letter to establish a non-listed number for verification. That got rejected because our counsel was not registered with the local bar association in the required jurisdiction. 🙃 The certificate authority eventually fell back to sending a physical postal letter with a verification code to our physical address listed on Dun & Bradstreet. Yes, we used snail mail to verify our identity for email!

This setup is not about being unreachable. It is about being available for the right people and the right work, at the right time, with a brain that is fully present. Quiet by default, across every channel. Distractions stay out. Exceptions have to earn their way in. What is left is focus time, and the space to build and ship.

Phone Same pattern as calendar and email. Default off, exceptions earn their way in. Focus mode is always on. Only contacts marked as favorite get through: family, friends, close colleagues, leadership. App notifications are mostly off. PagerDuty is the only exception, for real (security) incidents. Everyone else can wait.

We are a company of makers and doers. A small team building and running a serious product, with real traction and big ambitions. We have high standards, little hierarchy, and lots of autonomy. Every engineer is expected to make an impact, and none of that works without protected focus time. That means ruthlessly cutting distractions. Here is how I do that as a security engineer at @framer, across email, calendar, Slack, and phone.