Welcome to WebmasterWorld Guest from 18.104.22.168
Isn't this a little backwards? Shouldn't I have to take action to approve the domain transfer, not take action to reject it? I don't check this email account regularly because of all the spam you get from spammers scraping whois info. I easily can go months without checking it. So really anyone could steal a domain from me if I don't see the email and take action.
Is this normally how it is done? I do have all of my domains locked and I unlocked this domain so I can transfer it. Is that all that is protecting me from getting a domain stolen? I remember doing a domain transfer a couple years ago, and I had to click on a url in the email to approve the transfer.
If you want to protect your domains, just place your names on lock. Then you will need to remove the lock before trying to transfer. This is much better then jumping through hoops trying to transfer.