How to Monitor Shopify Custom Domains for Agencies: SSL, DNS, and Checkout Subdomains

Shopify's managed hosting handles SSL provisioning automatically for custom domains — in theory, the agency configures the DNS records and Shopify takes care of the rest. In practice, custom domain SSL on Shopify breaks in specific ways that are entirely preventable with the right monitoring in place.

This guide covers the failure modes that matter for Shopify agencies, what to monitor on each client store, and how to set up monitoring that catches problems before a client calls.

How Shopify Custom Domain SSL Works

When an agency connects a custom domain to a Shopify store, the process requires two DNS records:

An CNAME or ALIAS record pointing the root domain (or www subdomain) at shops.myshopify.com
A verification TXT record for Shopify to confirm domain ownership

After the DNS records are in place and propagated, Shopify provisions an SSL certificate for the custom domain via its CDN partner. This provisioning process typically takes a few minutes to a few hours, depending on DNS propagation times. Shopify renews the SSL certificate automatically before expiry as long as the DNS records remain correctly configured.

The operational dependency that creates monitoring risk: Shopify's SSL provisioning and renewal depends on the domain's DNS records continuing to point at Shopify's infrastructure. If the records change — due to a client registrar transfer, a nameserver migration, or a DNS provider change — Shopify cannot renew the SSL certificate. The certificate continues serving traffic until it expires.

Failure Mode 1: Domain Registrar Transfers Break SSL Renewal

Client domain registrar transfers are one of the most common triggers for Shopify SSL renewal failures. When a client moves their domain from GoDaddy to Cloudflare, from Namecheap to Google Domains, or between any two registrars, the transfer process sometimes loses or resets DNS records.

In the best case, the registrar transfer preserves all DNS records and Shopify SSL renewal continues without interruption. In practice, some registrars reset DNS zones to their default template on transfer, removing the Shopify CNAME and the verification TXT record.

What to monitor: After any client registrar transfer, verify that the Shopify CNAME record is still present and pointing at shops.myshopify.com. The TXT verification record may or may not still be required after initial provisioning, but its presence is a useful integrity check. DNS record monitoring with CNAME target validation catches the drift immediately after the transfer rather than 90 days later when the certificate expires.

Failure Mode 2: Checkout Subdomain SSL Is Independent From the Store Domain

Shopify's checkout is served from a checkout subdomain. Depending on the store configuration and Shopify plan, the checkout may be on checkout.clientdomain.com or on Shopify's shared checkout subdomain. For stores with custom checkout domain configuration, the checkout subdomain requires its own CNAME record pointing at Shopify's checkout infrastructure, separate from the store domain CNAME.

The two certificates — store domain SSL and checkout subdomain SSL — are provisioned and renewed independently. An agency monitoring only the primary store domain will see a valid certificate while the checkout subdomain SSL has expired or was never provisioned correctly. Customers attempting to complete purchases receive an SSL error on the checkout page while the rest of the store appears functional.

For ecommerce clients where checkout SSL directly blocks revenue, this failure mode has immediate cost consequences. A 30-day checkout SSL expiry warning is worth more than a 24-hour uptime check alert after the certificate is already expired.

What to monitor: Add the checkout subdomain explicitly as a monitored asset alongside the primary store domain. If the client uses a custom checkout domain, verify the CNAME target integrity separately from the store domain CNAME.

Failure Mode 3: Third-Party App Subdomains Carry Independent SSL

Shopify stores commonly integrate third-party apps that add subdomains to the client domain: help desk platforms (Gorgias, Richpanel), affiliate and loyalty programs, subscription billing apps, and headless frontend deployments. Each integration adds a subdomain CNAME pointing at the third-party platform's infrastructure — and each subdomain has SSL provisioned by that platform, independent from Shopify.

When a client switches from one help desk platform to another, the old subdomain CNAME record may remain in DNS while the new platform's CNAME is added. Two CNAMEs pointing at different platforms create a DNS conflict that surfaces as intermittent connection failures for customers who reach the deprecated integration.

What to monitor: Inventory all subdomains on each Shopify client domain, not just the store and checkout subdomains. For each subdomain, verify the CNAME target is the expected platform and that the SSL certificate is valid. Third-party app SSL certificates are managed by the app vendor — expiry schedules are outside the agency's direct control, which makes monitoring more important, not less.

Failure Mode 4: Nameserver Changes to Cloudflare Conflict With Shopify DNS Requirements

Shopify's DNS configuration requires specific CNAME and A records on the client domain. When clients move their domain to Cloudflare and enable Cloudflare's proxy mode (orange-cloud), the CNAME record is flattened to an A record and routed through Cloudflare's reverse proxy. Shopify's SSL provisioning may not work correctly with Cloudflare proxy enabled on the domain, because the SSL certificate provisioning request from Shopify's CDN hits Cloudflare's proxy instead of resolving to the Shopify infrastructure.

The recommended configuration for Shopify custom domains with Cloudflare is to set the relevant DNS records to DNS-only (grey-cloud), bypassing Cloudflare's proxy. When clients or their IT contacts enable proxy mode on the Shopify domain records, SSL provisioning breaks — often without any visible error in Cloudflare or Shopify's dashboards.

What to monitor: For clients using Cloudflare DNS with Shopify, monitor the CNAME record target to confirm it continues pointing at Shopify's infrastructure. If the target shifts to a Cloudflare-proxied IP address rather than the expected Shopify hostname, flag it immediately before it causes an SSL provisioning failure.

What a Complete Shopify Client Monitoring Setup Looks Like

For each Shopify client domain, the monitoring setup should cover:

Primary store domain SSL — certificate chain validation and 30-day expiry warning
Store domain CNAME target — pointing at shops.myshopify.com
Checkout subdomain SSL — if using a custom checkout domain, separate SSL and CNAME monitoring
Third-party app subdomains — SSL validity and CNAME target integrity for each integration
Domain expiry — Shopify cannot renew SSL on a lapsed domain; registration expiry must be tracked

A typical Shopify agency client requires monitoring five to ten DNS records and SSL certificates, not just one. Agencies that monitor only the primary store domain catch fewer than half of the failure modes that actually affect Shopify clients.

Alert Thresholds for Shopify Agencies

The right SSL expiry alert threshold for Shopify clients depends on how proactive you want to be:

30 days — aggressive but appropriate for ecommerce clients where checkout SSL expiry directly blocks revenue. Enough time to identify the cause and correct it without emergency intervention.
14 days — standard for most monitoring tools. Workable for non-ecommerce clients but tight for ecommerce where checkout SSL expiry affects revenue immediately.
7 days or less — reactive. You are already in emergency territory for most Shopify clients.

For agencies with ecommerce clients on Shopify, a 30-day expiry warning threshold gives you time to investigate and resolve without a client call. For checkout subdomains specifically, err on the side of longer warning windows.

Setting Up Shopify Domain Monitoring in Merlonix

Adding a Shopify client domain to Merlonix takes under two minutes:

Verify ownership with a DNS TXT record on the apex domain
Add the primary store domain, checkout subdomain, and any third-party app subdomains without additional verification steps
Set the SSL expiry alert threshold to 30 days for ecommerce clients
Route alerts to the client's dedicated alert channel so the right team member receives them

All subdomains under the verified apex domain are available to add immediately after the initial verification. No separate DNS access to the client's zone is required to monitor subdomains — only the initial TXT record on the apex.

Shopify itself does not send SSL expiry warnings to agency accounts. Monitoring is the only way to get advance notice before a certificate expires and a client's checkout goes dark.