New Client Onboarding to Website Monitoring: The Agency Checklist
The worst time to discover a client's SSL certificate was already expiring is three days into your engagement, when the site goes into browser warning state and the client assumes it is your fault. The second worst time is during a retainer review when you realize a DNS record changed two months ago and no one noticed.
Monitoring should be the first thing you set up for a new client, not the last. Before you are responsible for the site's health, you need to know what state it is in. The checklist below covers the steps from signing the contract to having a verified, alerting monitoring setup in place.
Why Onboarding to Monitoring Matters
Taking on a new client means inheriting whatever state their digital infrastructure is currently in. That state is usually unknown. The SSL certificate might have 8 days left. DNS records might have been changed by a previous agency and never documented. A vendor the site depends on might be partially degraded.
You cannot fix what you do not know exists. Getting monitoring live during onboarding — before you start any site work — establishes a baseline you can point to. It protects your agency from inheriting blame for pre-existing issues and gives you a clear record of what changed on your watch.
The Onboarding Checklist
1. Domain inventory
Start with a complete list of every domain and subdomain the client owns that is relevant to your engagement. Ask for:
- Primary domain(s) with the main site
- Subdomain that serves the blog, shop, app, or staging environment
- Any redirect domains pointing to the primary
- Domains used for transactional email (SPF, DKIM, DMARC records live here)
Do not guess. Ask the client to provide the list from their registrar, or pull it from a DNS lookup. Undiscovered domains are a common source of missed expiries.
2. Identify who owns DNS vs. who owns hosting
For each domain, determine:
- Who controls the registrar (where auto-renewal is set)
- Who controls the DNS zone (where records are managed)
- Who controls the hosting (where files and the web server live)
These are often three different parties. Knowing who owns what tells you which verification method to use and who to contact if a change is needed.
3. Choose a verification method for each domain
You need to verify each domain before monitoring begins. Two options:
-
DNS TXT record: Use this if you manage or have quick access to the DNS zone. Add a TXT record at
_merlonix-verify.domain.comwith the token from your Merlonix dashboard. Fastest when DNS access is in-house. -
HTTP file: Use this if you manage hosting but not DNS. Upload a small text file to
/.well-known/merlonix-[token].txton the web root. Works for shared hosting, managed WordPress, VPS environments, and most CMS platforms.
If you have neither DNS nor hosting access for a domain, flag it. You cannot monitor a domain you cannot verify, and you should document this as a coverage gap in the client file.
4. Add assets in your monitoring dashboard
Add each verified domain as an asset. At minimum, enable:
- SSL certificate monitoring (expiry date, chain validity, issuer changes)
- DNS record monitoring (diff against baseline on each check)
For Shopify, Vercel, or other platform-hosted domains, also tag the relevant upstream vendors so vendor incidents surface in context.
5. Run a baseline check and document what you find
After adding assets, review the initial monitoring report:
- How many days until each certificate expires?
- Are there any certificates with chain errors or weak key algorithms?
- Do the DNS records match what you expected from the client's documentation?
- Are any vendor dependencies showing active incidents?
Document these findings. If a certificate is expiring in under 30 days, flag it as a pre-existing issue and address it before the client holds your agency accountable for an expiry that predates your engagement.
6. Configure alert channels
Set up alert routing so the right person receives the right type of alert:
- SSL expiry alerts at 30, 14, and 7 days before expiry — to whoever manages certificate renewals
- DNS change alerts — to the person responsible for DNS oversight
- Vendor status alerts — to the account manager who fields client calls
If your agency uses Slack, most monitoring tools can route to a dedicated channel. Route there first, and set up email escalation as a backup.
7. Test the first alert
Before considering setup complete, trigger a test alert to confirm the routing works. Verify that the notification arrives in the correct channel, that the alert content is actionable (it includes the domain, the issue type, and enough context to begin triage), and that no alerts are silently failing.
8. Document in the client file
Add a monitoring summary to the client's internal documentation:
- List of monitored domains and which verification method was used
- Coverage gaps (domains that could not be verified)
- Initial baseline findings (certificate expiry dates, any pre-existing issues)
- Alert routing configuration
- Date monitoring was activated
This documentation protects your agency in scope disputes and provides the next team member an immediate picture of the monitoring setup.
When the Client Owns DNS
If the client controls their own DNS zone and you need a DNS TXT record for verification, send a clear written request with the exact record to add. Include the name, type, and value. Do not ask the client to "add a monitoring record" — give them the exact string. Most clients who control their own DNS can add a TXT record within an hour if the instructions are clear.
If the client is unresponsive on DNS changes, fall back to HTTP file verification on the hosting side. You can always add the DNS TXT record later to complement it.
Merlonix supports both verification methods and handles the baseline snapshot automatically when you add a domain. The onboarding workflow above fits any agency monitoring setup — and takes under an hour per client when DNS or hosting access is already in place.
Start a free 14-day trial at merlonix.com/pricing/ — no credit card required, and you can add your first client domains immediately.