Monthly SSL and DNS Audit for Agencies: A Step-by-Step Process
Most web agencies do not run monthly SSL and DNS audits. They run emergency audits — when a client site goes offline, when a client calls about a browser security warning, or after a DNS incident that took longer to diagnose than it should have. The monthly audit happens retroactively, in incident post-mortem form.
This post outlines a proactive monthly SSL and DNS audit process for web agencies managing client portfolios. The goal is to identify issues before they become client-visible failures, with a process that takes 30–90 minutes per month depending on portfolio size — not a full day.
Why Monthly Is the Right Cadence
Weekly audits catch most issues but create audit fatigue — the same results every week make it easy to stop scrutinizing the results carefully. Quarterly audits are too infrequent: SSL certificates issued for 90-day terms (Let's Encrypt defaults) can expire within a quarter if renewal fails, and DNS records can drift significantly in three months after a client infrastructure change.
Monthly audits balance coverage frequency against operational overhead. A certificate that is 60 days from expiry shows up in a monthly audit with two full months to resolve the root cause. A CNAME that drifted after a client nameserver migration last week shows up in the next monthly review with weeks to correct before it becomes an outage.
For agencies with continuous monitoring (automated checks every 5–15 minutes), the monthly audit serves a different purpose than the monitoring: it is a systematic review of the full portfolio state rather than a reactive response to individual alerts.
What the Monthly Audit Covers
The monthly audit has five sections:
- Certificate inventory review — all certificates, their expiry dates, and chain status
- DNS record review — all CNAME delegations, A records, and any record changes since last month
- Domain registration review — all domain expiry dates and registrar status
- Environment coverage gap check — staging and API subdomains not currently monitored
- Vendor incident review — any platform incidents in the past 30 days affecting client sites
Step 1: Certificate Inventory Review (10–20 min)
What you are looking for: Any certificate expiring within 60 days, any chain validation failure, any unexpected issuer change.
How to run it:
Pull your monitoring dashboard's certificate export or run a manual check across all client domains. For each certificate, record:
- Common name and SANs
- Expiry date
- Issuer (CA)
- Chain validation status (valid / chain error / revoked)
- Days until expiry
Triage by priority:
| Expiry window | Priority | Action |
|---|---|---|
| < 14 days | Critical | Fix immediately — investigate root cause today |
| 14–30 days | High | Root cause investigation this week |
| 30–60 days | Medium | Investigate in next two weeks |
| 60–90 days | Low | Note and schedule follow-up |
| > 90 days | No action | Continue monitoring |
Chain validation failures: Treat any chain error as Critical regardless of expiry date. A chain error causes browser failures immediately.
Issuer changes: Compare this month's issuer against last month's. An unexpected issuer change warrants a five-minute investigation — usually it is a CDN or platform making a routine CA change, occasionally it indicates a misconfiguration.
Step 2: DNS Record Review (10–20 min)
What you are looking for: CNAME targets that have changed since last month, A records pointing to unexpected IPs, MX records that have changed, nameserver changes on client domains.
How to run it:
Your monitoring tool should log DNS record state on every check. Pull a comparison of current DNS records against last month's baseline for each client domain. If you do not have a monitoring tool that logs DNS state, run DNS queries manually for the highest-risk delegations.
What to check per client:
- CNAME targets: Does every CNAME delegation point to the expected hosting platform target? Compare against the configuration documented in your client records.
- Nameserver changes: Have any client domains changed their nameservers since last month? Nameserver changes are the most common cause of CNAME delegation failures — they mean the client has changed DNS providers and CNAME records may need to be recreated.
- A record changes: Are any A records pointing to IPs outside the expected hosting range? Unexpected A record changes require investigation.
- MX record changes: For clients whose email you manage or monitor, have MX records changed?
Triage:
| Finding | Priority | Action |
|---|---|---|
| CNAME pointing to wrong target | High | Identify root cause, check if site is affected |
| Nameserver change without corresponding CNAME update | High | Verify CNAME delegation is correctly recreated at new provider |
| Unexpected A record change | Medium | Investigate whether change was planned |
| Unexpected MX change | High (if managing email) | Verify with client — may indicate unauthorized change |
Step 3: Domain Registration Review (5–10 min)
What you are looking for: Any domain expiring within 60 days, any registrar lock that has been disabled, any domains that have changed registrars since last month.
How to run it:
Pull your monitoring tool's domain expiry report or run WHOIS queries for each client domain. Record expiry dates and compare against last month.
Triage by priority:
| Expiry window | Priority | Action |
|---|---|---|
| < 30 days | Critical | Contact client immediately — domain is in the danger zone |
| 30–60 days | High | Contact client this week to confirm renewal is in progress |
| 60–90 days | Medium | Add to client communication queue for next check-in |
| > 90 days | No action | Continue monitoring |
Client communication note: When contacting clients about domain expiry, be specific and actionable. "Your domain clientdomain.com expires on June 15. Please confirm that auto-renewal is enabled on your account at [registrar]. If you need help accessing the registrar, let us know." Vague domain expiry warnings get ignored.
Step 4: Environment Coverage Gap Check (5–10 min)
What you are looking for: Client subdomains that exist in DNS but are not currently monitored.
How to run it:
For each client, compare the subdomains currently in your monitoring tool against the subdomains that exist in the client's DNS zone. Gaps are subdomains that exist in DNS but have no monitoring coverage.
Common sources of unmonitored subdomains:
- Staging environments added since the client was onboarded
- API or webhook subdomains added for third-party integrations
- New regional subdomains added for international expansion
- Temporary subdomains created for campaigns that became permanent
- Subdomains inherited when the agency took over an existing client
Triage: Any production-impact subdomain (checkout, API, app login, member portal) with no SSL or DNS monitoring should be added this month. Staging and preview subdomains can be lower priority.
Step 5: Vendor Incident Review (5–10 min)
What you are looking for: Any platform incidents in the past 30 days that affected client sites, and whether those incidents were identified and communicated proactively.
How to run it:
Review your monitoring tool's vendor incident log for the past 30 days. For each vendor incident, check:
- Which clients use this vendor?
- Did the incident correlate with any client-side alerts or client contact?
- Was the agency's response proactive (you notified the client before they noticed) or reactive?
Why this matters: The vendor incident review is the data source for an internal question: "How many client incidents in the past month were platform-caused and how many were configuration-caused?" Over time, this breakdown tells you where to invest in proactive improvement — more monitoring coverage, better vendor incident handling, or client DNS hygiene conversations.
Monthly Audit Report Format
The monthly audit produces a one-page summary per client (or a portfolio summary if you manage a large number of small clients). The format does not need to be elaborate:
Client: [Client Name]
Audit date: [YYYY-MM-DD]
Audited by: [Name]
Certificate status:
[domain] — valid, expires [date], [days] days remaining
[domain] — ATTENTION: expires [date], [days] days remaining
DNS status:
All CNAME delegations verified — no changes detected
[or] CNAME drift detected on [subdomain] — [action taken/required]
Domain registration:
[domain] — expires [date], [days] days remaining
[or] ATTENTION: [domain] expires [date] — client contacted [date]
Environment coverage:
All monitored environments up to date
[or] Gap: [subdomain] not currently monitored — added [date]
Vendor incidents:
None in past 30 days
[or] [Vendor] — incident [date], [duration], [client impact]
Keep the format consistent so audits from different months can be compared quickly.
Automating the Monthly Audit
A fully manual monthly audit on a portfolio of 20+ clients takes most of a day. The goal is to automate the data collection so the audit becomes a 30-minute review of a pre-built report rather than a four-hour manual process.
What to automate:
- Certificate expiry reporting: monitoring tools should export current expiry dates on demand
- DNS record state logging: monitoring tools should maintain a history of DNS state that enables month-over-month comparison
- Domain expiry reporting: monitoring tools should report expiry dates per domain
What still requires human review:
- Prioritization and triage of flagged issues
- Client communication about expiring domains or required DNS changes
- Judgment calls on whether unexpected DNS changes are intentional or concerning
Tooling: Merlonix generates a portfolio health report covering certificate expiry status, DNS record state, and domain expiry for all monitored clients. The monthly audit becomes a review of the report rather than manual data collection.
How to Start
If you are not running a monthly SSL and DNS audit yet, start with one client this month — your highest-revenue retainer client, or the one most likely to call you if their site goes down. Run through the five steps above. Note what you find. Then automate the data collection for next month.
The first audit always surfaces something that was not being monitored. That is the point.
Start monitoring your client portfolio with Merlonix — the monthly audit report is included in every plan.
→ Related: Agency SSL Monitoring Checklist: 15 Checks Every Web Agency Needs → Related: What Causes DNS Record Drift → Related: How to Audit Client SSL Certificates → Related: Website Monitoring ROI for Agencies → Related: Website Monitoring Reporting for Clients