Domain Expiry Monitoring for Agencies: Never Let a Client Domain Lapse

A lapsed domain registration is one of the few brand incidents that is simultaneously preventable, catastrophic, and impossible to undo quickly. SSL certificates expire and the fix is measured in minutes. DNS misconfigurations degrade and can be corrected within the TTL window. But a lapsed domain can transfer to a new registrant before the agency detects the problem — and recovering a domain from a third party, if it is recoverable at all, takes days to months.

Despite the severity, domain expiry monitoring is the least commonly implemented monitoring control in agency infrastructure stacks.

What Happens When a Client Domain Lapses

Domain registration works on a renewal cycle. A domain name is registered for one to ten years, after which it must be renewed. If it is not renewed during the renewal window, the domain enters a grace period — typically 30 days — during which the original registrant can still recover it, usually at a premium. After the grace period, the domain becomes available for general registration.

From the moment a domain becomes publicly available:

Any party can register it. Competitors, squatters, and individuals who exploit lapsed domains for phishing or ad fraud watch domain expiry lists and can register within seconds.
All traffic to the old domain goes to wherever the new registrant points it. Visitors expecting the client's site see content controlled by the new registrant.
Email to all addresses at the domain is either lost or, if the new registrant configures mail servers, delivered to the new registrant. This includes password reset emails, customer communications, and any internal traffic still routed to the old domain.
Any SSL certificates for the domain become worthless — the certificate is tied to domain ownership, and ownership has changed.
Any brand asset attestations referencing the domain are now referencing infrastructure controlled by a third party.

The reputational and legal consequences extend beyond the immediate period. If the domain is used for phishing campaigns or fraud, clients can face liability from customers who were harmed while the client brand was impersonating a trusted entity — even though the client no longer controls the domain.

Why Agencies Are Responsible

Domains sit at an ambiguous point in the agency-client relationship. Agencies often manage DNS records, SSL certificates, and hosting on behalf of clients — but domain registration is frequently maintained by the client directly, or transferred to the agency's registrar account at setup and then forgotten.

The confusion creates accountability gaps:

The client assumes the agency is handling it. When the client transferred domain management to the agency, they assumed that included renewals. It may not have.

The agency assumes the client is handling it. The agency manages DNS but didn't explicitly take on renewal responsibility. Renewal notices go to a client email address that may no longer be monitored.

Auto-renewal fails silently. Auto-renewal is the standard mitigation, but credit cards expire, payment methods change, and registrar auto-renewal systems fail. An auto-renewal that appeared to be in place can silently fail when the payment method is declined.

The practical solution is not to resolve the accountability question definitively — it is to monitor the expiry dates and know far enough in advance that the question can be raised and resolved before the deadline.

Domain Expiry Monitoring vs. SSL Certificate Monitoring

Agencies that have implemented SSL certificate monitoring are already tracking one expiry type. Domain expiry monitoring operates differently and requires a separate process.

What differs:

SSL certificates are managed by the certificate authority and are renewed by provisioning a new certificate, typically through an automated ACME process or a hosting provider's certificate management system. Monitoring requires checking the certificate's notAfter field.

Domain registration expiry requires querying WHOIS records or registrar APIs to determine the registration expiry date. The expiry date is not visible in the same way a certificate expiry is — it requires an explicit WHOIS lookup against the authoritative registry for the domain's TLD.

Lead times differ:

SSL certificates should trigger alerts 30 days before expiry because the renewal process is fast and can be completed in minutes. Domain registration should trigger alerts 60–90 days before expiry — long enough to identify who is responsible for renewal, confirm payment methods are current, and complete the renewal with ample time remaining even if the first attempt fails.

The failure modes differ:

An expired SSL certificate makes the site inaccessible to users. It is bad, but the domain remains yours. An expired domain registration does not just make the site inaccessible — it removes the agency's and client's control of the underlying asset entirely.

Portfolio Domain Expiry Management

For an agency managing 20–50 clients, each with multiple domains, manual WHOIS tracking is not sustainable. The monitoring requirements:

Complete domain inventory per client: Most clients have more domains than they actively use. The primary domain, the www subdomain equivalents, regional variants, typo-squatting defensive registrations, campaign-specific domains. All of these need renewal tracking — a lapsed typo-squat defensive registration is an invitation for actual typo-squatting.

Centralised expiry calendar: Domain expiry dates visible in a single interface, sorted by expiry date, with per-client grouping. The "next 90 days" view should show the agency at a glance which domains require attention and which client they belong to.

Tiered alert thresholds: 90 days out: flag for review, confirm renewal responsibility. 60 days out: confirm renewal is scheduled. 30 days out: escalate if renewal not confirmed. 14 days out: immediate escalation regardless of claimed renewal status. This tiering prevents both false urgency and genuine misses.

Accountability documentation: For each domain, record who is responsible for renewal, the registrar account it lives in, and when renewal was last confirmed. This documentation makes the accountability question answerable quickly when an expiry alert fires.

Integrating Domain Expiry Into the Monitoring Stack

Domain expiry monitoring belongs alongside SSL and DNS monitoring as the third element of a complete domain health stack:

SSL monitoring: is the certificate valid today?
DNS monitoring: are the records pointing where they should?
Domain monitoring: does the client own the domain, and for how long?

All three feed the same underlying risk — that a client's branded digital presence is disrupted or hijacked — but each operates independently and requires independent monitoring.

Agencies that have SSL and DNS monitoring in place can add domain expiry monitoring with minimal additional workflow overhead. The same per-client asset grouping, the same alert routing structure, and the same client-facing reporting covers all three signal types.

Merlonix monitors SSL certificate expiry, DNS record integrity, domain registration status, and vendor health across your entire client portfolio — with alerts routed by severity and client-facing reports included. Start your free trial →