So I am transferring my domain from one registrar to another. I filled out the forms on the new registrar and wait for the email from the old one. When I get an email from them, it says that only I can authorize the domain transfer. But then it says, "If you did not request this transfer and wish for us to reject it on your behalf, please send a request to <their website>."

Isn't this a little backwards? Shouldn't I have to take action to approve the domain transfer, not take action to reject it? I don't check this email account regularly because of all the spam you get from spammers scraping whois info. I easily can go months without checking it. So really anyone could steal a domain from me if I don't see the email and take action.

Is this normally how it is done? I do have all of my domains locked and I unlocked this domain so I can transfer it. Is that all that is protecting me from getting a domain stolen? I remember doing a domain transfer a couple years ago, and I had to click on a url in the email to approve the transfer.