Sometimes, you wake up to news that is so disruptive that you are certain it will turn an industry upside down. That happened last night, as Cloudflare announced its entry into the domain registrar space, and revealed the next step of its market penetration strategy.
Make no mistake, this is huge news.
And, moreover, Cloudflare’s execution (whether intentionally or not) is both a ruthless and genius market penetration strategy. It demonstrates a thorough understanding of its customers and the jobs they are trying to get done.
A Bit Of Cloudflare History
First, let’s peddle back a few years for a bit of history.
Cloudflare was founded 8 years ago and, since inception, it has been on a mission to make a better internet. It wants to provide website owners and web users with a more secure, and more reliable internet experience.
It’s a big, bold mission - one that its customers buy into in a big way. It’s also well-aligned to very real pains that customers face on a daily basis.
Back in 2011, Cloudflare began partnering with the industry’s larger domain registrars. It announced a partnership with Media Temple at the time. Dreamhost followed in 2012, 1&1 Internet in 2014, and more (including my former employers, UK2 Group) followed in 2015.
Planting A Trojan Horse
Its value proposition at the time was simple, but powerful. It was also focused on a very clear job-to-be-done: to improve website security and performance. Cloudflare offered to do this for free.
Nobody else was doing this at the time, so what is there to lose?
There was nothing to lose from the customers’ perspective. I’ve been using Cloudflare’s services for three or four years now. They have served me well, and have rarely let me down - if ever.
Yes, the company has paid plans for its users, but it isn’t on a continuous push to upgrade. I don’t remember a single ‘upsell’ in that period. The upsell was there if I needed it, but it was my choice - not via force with a battering to submission.
Furthermore, its free plan gives it the economies of scale it needs to get better pricing for hardware, connectivity and data center space required to power its services.
Since 2015, the company has grown significantly. It says it is now trusted by more than 10 million domains. No doubt a large portion of these domains have been added through its partnership strategy. It syphoned off a large number of webmasters from its partners in the name of security and performance.
The First Step To Market Penetration
Cloudflare’s first step in its market penetration strategy was into the world of SSL. It believed that every website owner should be able to secure traffic to its website. The problem was, with the first version of Cloudflare’s SSL product wasn’t quite what everyone hoped for.
Cloudflare’s ‘Full’ SSL mode didn’t validate the certificate on the origin server (i.e. your web server). This meant it was possible for hackers to insert malicious code (or their own servers) between Cloudflare’s edge cache servers and your server.
At a time when the Edward Snowden leaks were top of mind for many internet users, this was a concern. It meant that the US Government and its partners could spy on your web activity. While that activity was encrypted, it could still see the metadata. And it’s the metadata that it has been hoovering up for years, because that tells it enough. (i.e. who you’re speaking to or, in this case, which websites you’re visiting, and when)
Cloudflare later introduced ‘Full (strict)’ mode, which does validate the origin server’s SSL certificate. This ensured website visitors’ connections are encrypted from end-to-end.
Traditional domain name registrars charge for SSL certificates. They used to be a high-priced commodity with a lot of mark-up. In recent times, prices have come down - a basic SSL certificate (which is all that most website owners need) now costs a few pounds a year. Price drops accelerated once Google started to highlight insecure websites in its Chrome browser, and prioritise secure sites in its search results.
On its mission to make a better internet, Cloudflare felt that security and privacy was a right, not a privilege for those who paid.
The Next Job-to-be-Done: Domain Registration
In 2016, Cloudflare launched a secure domain registrar. This was designed for only the most security-conscious companies and was a very expensive service. But that was a price that many large organisations were willing to pay. Especially given that they could set up completely customised security rules that could be as complex as required.
But, frankly, Cloudflare’s millions of customers didn’t need this level of security. So Cloudflare set upon a journey of asking what would the perfect domain registrar look like? After all, Cloudflare knows that all its customers need to register their domains.
It also knows, from the DNS records it hosts on behalf of its customers, that many want to protect their privacy through contact masking. It was also able to determine from its own user data that most of its customers wanted to enable two-factor authentication.
Both of these features, if offered by registrars, are at extra cost. The cost of implementing these two services is nominal in the grand scheme of things. Particularly at the scale of most large domain registrars, where the costs of developing these add-ons could be spread across its hundreds of thousands, nay millions, of customers.
What’s more, Cloudflare aptly asked itself: “does anyone actually love their domain registrar?”
I’m sure, most of us would say no. Most of my domains are registered with GoDaddy, and love is a strong word. One that I’d never use to describe it.
The Economies Of Domain Name Registration
So, Cloudflare Registrar was born.
The service is simple, and it aligns perfectly to Cloudflare’s mission to make the internet a better place.
It allows customers to register domain names at wholesale cost. No mark-ups year on year. There are no introductory offers, but Cloudflare won’t profit from your domain registration. After all, the overhead on its side is nominal - a few API calls - and it doesn’t believe it should mark this up for customers.
Veritas, the company that administers .com registrations, charges a wholesale price of $7.85 per year per domain. ICANN also charges registrars a nominal $0.18 fee on top of that. This is the annual price that Cloudflare will charge you to register or administer a .com domain.
One of the ways that registrars like GoDaddy and Namecheap acquire customers is with extremely low first year prices. But, in return for the low price, they force you to register for two years. It’s to offset the cost of acquiring you as a customer.
Customer Acquisition Costings
Depending on advertising spend, their business model works on a ‘payback period’. For domains, this is measured in years. So, if you buy a £0.99 .com domain, with a second-year cost of £13.10, they won’t make much (if any) profit in that first two years when you factor in the wholesale cost.
When you renew at £13.10 a year, that’s when they start making money because the wholesale price doesn’t change. Of course, that’s assuming the cost of acquiring you was zero.
But, it’s important to note that the domain name registration space is very competitive. So it’s extremely likely that they paid to win your business.
Assuming they acquire you via Google Adwords, cost per click on a search term like ‘domain registration’ is $12 per click in the US and $15 per click in the UK. There are long-tail keywords they could target, but the scale is on the shark-head terms like this, or terms like ‘buy domains’. ($14 per click on both sides of the pond)
Now, not everyone who clicks on those ads will convert, so let’s assume one in four converts. That’s a fairly good conversion rate for a well-optimised landing page, but it means they’re paying north of $50 to win your business. Even if one in two visitors convert, they’re paying at least $30 for that £14.09 initial sale.
So that £14.09 sale for a two-year domain registration is cost-neutral without factoring in the acquisition cost. Each year after year two, the margin on wholesale is approximately 50%. Thus, it’ll take another three or four years after that initial sale to ‘pay back’ the cost of acquiring you as a customer.
Sell Sell Sell
All the above assumes you don’t need to speak to customer support at any point. As soon as you do that, payback stretches out from five or six years to six, seven or even eight years.
As I say, it’s a hugely competitive business. And it’s one reason for the continuous upsells. As soon as you subscribe to a basic web hosting package, the payback period drop by as much as 50%.
A well-specced dedicated server, which most hosts would sell on its own for £150 or more a month, can host hundreds, often thousands, of basic web hosting customers. These servers operate at approximately 60% margin after a 6-to-12 month payback period. This assumes you’re getting a brand new server (which, in most cases, you won’t) and use relatively little bandwidth.
Bandwidth is bought wholesale and priced on 90th or 95th percentile usage, in Gigabits or Terabits per second. There is no monthly limit. So frequent spikes in bandwidth are what impacts margin, not whether individual servers go over their limit.
This is why domain registrars sell basic web hosting packages so hard. It it literally a licence to print money. The rules put in place mean that no site is allowed to use much bandwidth. They don’t take up much disk space. And they can’t take up much CPU time. If they do, they’re cut off.
Is Cloudflare Registrar A Loss Leader?
So, that begs the question - how can Cloudflare Registrar make money?
This, I am not 100% sure. But in interviews with the press, Cloudflare’s CEO has said that it won’t be a loss leader. So one can only assume that the company is confident that many of those who use Cloudflare’s other services will end up paying for them.
Whether it ends up adding limits to its free accounts (in terms of number of domains per account), I don’t know. But it might be one route to generating revenue from its free users. After all, by moving their domain registration across, it will have many of its free users’ credit card details on file. This removes a big a barrier to revenue.
Without deep insider knowledge, I suspect gross margin on Cloudflare’s paid services is over 70%. Its ‘Pro’ subscription is $20 a month. Is there room for another plan below this? Yes, assuming Cloudflare limits the number of free domains per account. Then, for a small monthly fee, offer unlimited domains and a couple of deal-sweeteners.
But I don’t expect that to happen overnight. It’ll happen in the next year or two. Cloudflare recently closed a $110 million fundraise from Microsoft, Google, and others, so it’s not short of cash.
Once it has enough in-product data (on things like number of domains per account, average bandwidth usage, attempted feature activations and such), it will be able to make calculated commercial decisions. At that point, it can add a new entry-level paid tier that makes sense from both a customer-value and a commercial perspective.
Cloudflare’s disruptive move has undoubtedly caused some very sore heads this morning. Most domain registrars’ go-to-market strategies have gone up in smoke. Their model needs to evolve - and fast.
It’s a ruthlessly smart move from Cloudflare’s perspective.
Those millions of customers Cloudflare syphoned off from its partners have a new starlet in town.
And, to make matters worse, of all the friends and colleagues I’ve spoken to since the announcement, no one has said: “I’m staying where I am, thanks”. If I were a domain registrar, I’d be quaking in my boots right now.