MERLONIX
Built for accounting agencies — 14-day free trial

Your IRS e-filing proxy cert expires mid-tax-season.
Every client return misses the deadline.

Accounting agencies building client portals, tax-prep platforms, and DOR submission relays for CPA firms deal with IRS e-Services Modernized e-File (MeF) cert chain failures during tax season triggering IRC §6651(a)(1) failure-to-file penalties (5-25% of unpaid tax) and CPA professional liability for clients incurring the penalty, state DOR portal cert dependencies (CA CDTFA, NY NYSDOL, FL DOR each with their own cert chain and CAA requirements) where CAA tightening from unrelated security audits breaks quarterly sales-tax filings, and AICPA SSAE 18 SOC 2 Type II + state CPA board cybersecurity requirements being compromised when client portal certs expire and clients submit W-2s, 1099s, and financial statements over unencrypted connections. Merlonix monitors every CPA-attached subdomain so the tax-season exposure surfaces 30 days before the failure window opens.

Start free for 14 daysOr start free — $0, no cardHow it works

No credit card either way — start free, or trial the full workspace.

Check cadence (Agency)
1 min
SSL pre-expiry alert
30 days
Independent DNS resolvers
3
Vendors watched
11

Where accounting agencies get caught out

Three failure modes where SSL expiry creates IRS e-filing collapse during tax season, multi-state DOR cert chain mismatches that break quarterly sales-tax filings invisibly, and AICPA SOC 2 Type II + state CPA board cybersecurity-control failures.

Accounting agencies building client portals, tax-prep platforms, and DOR submission relays for CPA firms deal with IRS e-Services Modernized e-File (MeF) cert chain failures during tax season triggering IRC §6651(a)(1) failure-to-file penalties (5-25% of unpaid tax) and CPA professional liability, multi-state DOR portal cert dependencies (CA CDTFA, NY NYSDOL, FL DOR with its legacy Entrust trust anchor, TX Comptroller) where CAA tightening from unrelated SOC 2 hardening breaks quarterly sales-tax filings invisibly (discovered only at next quarter-end), and AICPA SSAE 18 SOC 2 Type II Trust Services Criteria CC6.7 compromised when client portal certs expire and W-2s, 1099s, K-1s, and brokerage statements transmit over unencrypted connections during the audit period of review.

IRS MeF e-filing proxy cert expiry

An e-filing proxy cert expires during tax season and every client return fails with a MeF protocol error

An accounting agency operates the e-filing proxy infrastructure for Regional Tax Partners, a 25-CPA regional firm in the Midwest serving 600 individual tax clients and 80 small-business clients. The e-filing proxy is hosted at efile.regionaltaxpartners.com — a tax-software-integrated relay that receives client returns from the firm's tax-prep platform and submits to IRS e-Services MeF. The cert on efile.regionaltaxpartners.com chains through DigiCert (one of the five IRS-approved CAs as of the 2026 tax season). Two months ago (mid-January 2026), the IRS published an update to the MeF Authorized Issuer list adding Sectigo. The agency's chain validation logic — which validates the chain at e-filing submission time as a defense-in-depth check — was hard-coded against the previous five-CA list (DigiCert, Entrust, IdenTrust, GlobalSign, Symantec/now-DigiCert). The Symantec→DigiCert consolidation in 2017 already required a list update; the agency engineer who wrote the hard-coding chose against using a dynamic list. The 2026 update adding Sectigo broke the agency's validation logic for any future cert renewal — but didn't cause an immediate issue because the existing cert was issued by DigiCert (still on the list) and wasn't up for renewal yet. The cert's 90-day cycle hits its renewal window on March 11. The agency's renewal automation requests a new cert from Let's Encrypt (chains through IdenTrust, on the approved list — but the agency hard-coded its own chain check to require specific intermediate CAs that no longer match what LE serves). The automation rejects the cert and falls back to the previous cert, which expires March 14 (Monday). All e-filings from Monday morning onward fail with MeF Authentication errors. The firm's senior tax partner notices Monday afternoon when the e-filing acknowledgment reports for the morning batch are empty. The agency engineer is paged; investigation takes 4 hours to identify the chain validation logic; fix + redeploy takes 2 hours; cert renewal takes 1 hour. By 11 PM Monday, e-filing is restored. The four-day backlog (Friday before, weekend, Monday): 240+ client returns. Clearing the backlog takes 48 hours. April 15 deadline: 24 days away. The firm's tax partners are concerned about IRS-side acceptance delays — the MeF acknowledgment cycle is typically 24-48 hours but can stretch to 5-7 days during tax season under load. Any client return that doesn't receive an "Accepted" acknowledgment by April 15 may be deemed not-filed for §6651(a)(1) purposes (the e-file submission timestamp is the filing date if and only if the return is ultimately accepted). The agency's engagement contract with the firm includes a tax-season uptime SLA; the SLA is triggered. The firm's engagement letters with clients include a timely-filing guarantee; for any client whose return is delayed past April 15 due to the agency's outage, the firm must absorb the penalty under the guarantee — and the firm's indemnity from the agency is triggered for those penalties. The agency's E&O policy is triggered. Reputation exposure with the firm and the firm's peer network of regional CPA firms is significant.

CAA tightening breaks a DOR cert chain

SOC 2 CAA tightening issues a cert chain one state DOR portal rejects, and quarterly filings fail invisibly

An accounting agency operates a multi-state sales-tax filing service for 80 e-commerce client businesses with sales-tax nexus across 45 states (most are concentrated in CA, NY, TX, FL, IL — the high-volume e-commerce states). The submission infrastructure is filings.salestaxagency.com — a relay that receives transaction data from clients' e-commerce platforms (Shopify, BigCommerce, WooCommerce) and submits aggregated sales-tax filings to each state DOR via the state's e-services portal. The cert on filings.salestaxagency.com chains through DigiCert. The agency runs a SOC 2 Type II hardening project in early 2026; one recommendation from the auditor is to tighten CAA records to pin to specific commercial CAs only (rather than allowing any CA, which is the LE-permitting default). The agency tightens the CAA at salestaxagency.com to allow only DigiCert. The next 90-day cert renewal for filings.salestaxagency.com (early April 2026) issues a DigiCert-chained cert. The cert installs and serves correctly. CA CDTFA accepts the new cert chain (DigiCert is on CA CDTFA's approved list). NY NYSDOL accepts the new cert chain (DigiCert is on NY's approved list). FL DOR rejects the new cert chain at the submission API. FL DOR's e-services portal — redesigned in 2018 under a state IT project — has a hard-coded trust anchor at a specific Entrust intermediate cert; submissions presenting a chain that doesn't terminate at that exact intermediate are rejected with HTTP 502 and a generic "TLS validation failed" message. The agency's automation doesn't alert because the Q1 2026 filings (due April 20 for quarterly filers, due on rolling deadlines for monthly filers) were already submitted in late March, before the cert renewal. Q2 filings begin in early July. The 18 client businesses with FL nexus see their FL filings fail every retry. The agency's ops team notices when FL DOR sends notice-of-non-filing letters to the client businesses; the clients forward to the agency demanding explanation. The agency engineer investigates; identifies the FL DOR Entrust trust anchor; obtains a new cert from Entrust (requires opening a new account with Entrust, validating the domain, paying the cert fee); installs alongside the DigiCert cert in a SNI-based config that serves DigiCert to most state DORs and Entrust specifically to FL DOR. Late-filing penalties for the 18 FL-nexus client businesses: 10% of FL sales tax due per month, plus 1% interest per month, accruing from the original due date until filing is accepted. For an average client business with $50,000 quarterly FL sales tax, one month late = $5,000 penalty + $500 interest. Across 18 clients × 1 quarter = ~$100,000 in penalties + interest. The agency's engagement contracts with the client businesses include filing-deadline SLAs and indemnity for filing failures caused by agency infrastructure; the indemnity is triggered. The agency's E&O policy is triggered.

Client portal cert expiry breaks SOC 2

A client portal cert expires during a code-freeze and financial data transmits unencrypted

An accounting agency operates the client portal for Mid-Market Tax Advisors, a 12-CPA firm serving 220 clients across high-net-worth individuals (40), small businesses (130), and professional practices (50 — mostly dental, medical, and legal). The portal handles document upload (W-2s, 1099s, K-1s, brokerage statements, business financials), engagement letter signing (DocuSign integration), and document delivery (final returns, advisory memos). The portal is hosted at portal.midmarkettaxadvisors.com with a Let's Encrypt cert on a 90-day cycle. The firm maintains AICPA SOC 2 Type II attestation; the most recent Type II report covers October 1, 2025 through September 30, 2026 (the firm uses an October 1 fiscal year for SOC 2 audit cadence). The firm imposes a firm-wide code-freeze every September from September 1 through October 15 to ensure stability during the tax-extension deadline week (October 15). The freeze prohibits any production code change without partner-level approval. The agency's LE renewal automation runs continuously and is exempt from the freeze, but the automation requires a config change (a new ACME challenge endpoint configured the previous quarter) that requires a deploy to apply. The deploy is blocked by the freeze. The previous cert expires September 9 — mid-freeze. The agency engineer notices the expiry alert; cannot deploy the config change to fix the renewal; escalates to the firm's managing partner for partner-level approval to deploy during the freeze. The managing partner is out-of-office at a CPA conference; the request sits in queue. By September 18 (9 days post-expiry), 47 clients have submitted documents through the portal — the documents transmit over the expired cert. Mobile Safari users (most clients on mobile) get a hard block on iOS 18+ if the site isn't HSTS-preloaded; the portal isn't preloaded, so users see the warning and most click through to complete submission. Desktop Chrome users get the warning and most click through. Discovery happens September 18 when the managing partner returns and approves the deploy. The agency engineer deploys the config change, the renewal succeeds, the cert is restored. The firm's SOC 2 Type II audit period begins October 1. The auditor performs the period-of-review testing and identifies the cert-expiry window in the systems-availability log review. Under SOC 2 Type II Trust Services Criteria CC6.7, the auditor flags this as a control failure: the entity did not maintain transmission encryption controls during the 9-day window. The audit report records a "qualified opinion" with the cert-expiry exception explicitly listed; the firm's sales pipeline of new institutional clients (which is contingent on a clean SOC 2 Type II report) is impacted for the next year. State CPA board complaints are also possible: any client who submitted documents during the expired-cert window and later experiences a data-breach or identity-theft event has standing to file a complaint with the state CPA board (CA Board of Accountancy if the firm is CA-domiciled, NY State Board for Public Accountancy if NY-domiciled). The agency's engagement contract with the firm includes a cybersecurity SLA and indemnity; the indemnity is triggered for the SOC 2 audit's qualified opinion impact on the firm's revenue. The agency's E&O policy is triggered.

How it works

SSL and DNS monitoring for accounting agencies across IRS e-Services Modernized e-File proxies (tax-season failure-to-file exposure under IRC §6651(a)(1)), multi-state DOR submission endpoints (per-state late-filing penalty exposure when CAA tightening breaks chain compatibility), and SOC 2 Type II-scope client portals (AICPA + state CPA board cybersecurity-control exposure).

Merlonix monitors SSL expiry and DNS integrity across every CPA-attached subdomain — portal.* (client document portal), efile.* (IRS MeF proxy), filings.* (state DOR submission relay), intake.* (client intake) — and catches cert expiry on tax-season-critical infrastructure 30 days before any IRS MeF submission can fail and trigger §6651(a)(1) penalties, before any state DOR submission can fail and accrue per-state late-filing penalties, and before any client portal cert expiry can create a SOC 2 Type II audit exception. Each CPA subdomain gets independent monitoring because each one has independent regulatory exposure that flows back to the agency under the engagement's cybersecurity SLA and indemnity provisions.

01

Add every CPA-attached subdomain — portal.*, efile.*, filings.*, intake.*, plus the firm's primary marketing domain — with DNS TXT verification that catches cert expiry on tax-season-critical infrastructure 30 days before the IRS MeF or state DOR submission window opens

Verify ownership with a DNS TXT record on the apex domain. All CPA-attached subdomains under that apex — portal.* (client document portal), efile.* (IRS MeF e-filing proxy), filings.* (state DOR submission relay), intake.* (client intake forms) — are added without additional verification. Monitoring every CPA-attached subdomain catches cert expiry on tax-season-critical subdomains 30 days before the failure window opens — well before any IRS MeF submission can fail and trigger IRC §6651(a)(1) penalties for the firm's 600+ tax clients, well before any state DOR submission can fail at quarter-end and accrue late-filing penalties, and well before any client portal cert expiry can create a SOC 2 Type II audit exception under CC6.7. Under two minutes per firm.

02

CAA inheritance monitoring across registrar changes, SOC 2 hardening projects, and code-freeze windows — surfacing the CAA tightening that breaks state DOR cert chain compatibility invisibly between quarterly filing cycles

Three independent DNS resolvers check every CNAME and CAA record on every monitoring interval, walking the CAA inheritance chain from the apex up. When a CAA record is tightened during a SOC 2 hardening project (a common SOC 2 Type II recommendation), the change is detected in the first check cycle — and the implications for state DOR cert chain compatibility (FL DOR's Entrust trust anchor, CA CDTFA's approved CA list, NY NYSDOL's requirements) are surfaced before the next cert renewal issues a chain that may be incompatible with one or more state DOR portals. Code-freeze windows (typical at CPA firms during tax-extension week in mid-October) that block deploys for renewal config changes are also tracked as a risk signal.

03

SSL monitoring 30 days before expiry across IRS MeF e-filing proxies, multi-state DOR submission endpoints, and SOC 2 Type II-scope client portals — independent per-subdomain checks because each one has independent regulatory exposure

Full SSL chain validation on every CPA-attached subdomain. Independent checks catch cert expiry 30 days before the failure window opens — enough time to coordinate any chain validation logic updates (e.g., when the IRS updates the MeF Approved Issuer list, as happened January 2026 with the addition of Sectigo), test the new cert against the IRS MeF endpoint plus each in-scope state DOR endpoint, and avoid any deploy collision with firm-wide code-freeze windows during tax season. The 30-day lead time covers both the 90-day Let's Encrypt cert cycle and the worst-case code-freeze + partner-approval cycle for cert config deploys.

04

Vendor status for IRS e-Services MeF, the major state DORs (CA CDTFA, NY NYSDOL, FL DOR, TX Comptroller, IL DOR, OH DOT, PA DOR, NJ DOT), the tax-prep platform vendors (Drake, Lacerte, ProSeries, UltraTax, CCH ProSystem fx), and Let's Encrypt — to distinguish vendor-side incidents from per-firm SSL configuration failures

Merlonix monitors IRS e-Services MeF status (status.irs.gov), the major state DOR portals' status pages, and the tax-prep platform vendors' status pages alongside the firm's cert state — so when IRS MeF has a platform-wide incident (common during peak tax-season load), you see the vendor event clearly rather than spending hours investigating whether the firm's efile.* subdomain has a cert problem. State DOR status monitoring is particularly important during quarterly filing windows (April 20, July 20, October 20, January 20 for quarterly filers) when DOR portals are under load and may experience transient TLS issues.

What the numbers mean for accounting agencies

Monitoring built for accounting agencies where one CPA firm portfolio means an IRS MeF e-filing proxy (tax-season failure-to-file exposure for 500+ clients), a multi-state DOR submission relay (per-state late-filing penalty exposure across 30+ states with different cert chain requirements), and a SOC 2 Type II-scope client portal (audit-period control exception exposure under AICPA Trust Services Criteria CC6.7 and state CPA board cybersecurity rules).

Accounting agencies operating client-facing tech for CPA firms need monitoring that recognizes each CPA-attached subdomain has independent regulatory exposure — because the IRS MeF failure during tax season is silent in its early hours (the e-filing acknowledgment cycle takes 24-48 hours, so a cert expiry on Friday afternoon may not surface until Monday morning), the state DOR chain mismatch is silent across an entire quarter (the previous quarter's filings were already submitted before the CAA change took effect; the failure surfaces only at next quarter-end), and the SOC 2 Type II control exception is silent until the audit's period-of-review testing identifies the cert-expiry window in the systems-availability log review.

< 10 min

Time from DNS change to alert — catches CAA tightening introduced by SOC 2 hardening projects (a common recommendation that silently breaks state DOR cert chain compatibility for FL DOR&apos;s Entrust trust anchor and similar legacy chains) before the next 90-day cert renewal issues an incompatible chain, plus registrar nameserver changes during tax season

30 days

SSL expiry warning lead time — enough time to coordinate any chain validation logic updates required by IRS MeF Approved Issuer list changes (Sectigo was added January 2026), test the new cert chain against the IRS MeF endpoint plus every in-scope state DOR endpoint, and avoid deploy collisions with firm-wide code-freeze windows during tax-extension week (typically September 1 - October 15)

11 vendors

Upstream services monitored — IRS e-Services MeF status, the major state DOR status pages (CA CDTFA, NY NYSDOL, FL DOR, TX Comptroller, IL DOR), the tax-prep platform vendors (Drake, Lacerte, ProSeries, UltraTax, CCH ProSystem fx), and Let&apos;s Encrypt. Distinguishes a vendor-side incident from a per-firm SSL configuration failure

250 assets

Maximum monitored domains on the Agency plan — covers a full CPA-vertical portfolio: 25+ CPA firms each with portal.*, efile.*, filings.*, intake.*, and apex subdomains. Multi-state CPA firms with separate filings subdomains per state nexus (filings.ca.cpafirmname.com, filings.ny.cpafirmname.com) are absorbed without per-domain fees

Pricing

Flat monthly fee. Every CPA-attached subdomain, every IRS MeF proxy, every state DOR submission endpoint included.

No per-firm charges. No per-state fees. Pick the tier that fits your CPA-vertical portfolio and monitor every tax-season-critical subdomain (portal.*, efile.*, filings.*, intake.*) under each firm's apex without billing surprises.

See full feature comparison →

Starter

For solo developers or two-person agencies operating a single CPA firm&apos;s client portal, IRS e-filing proxy, and state DOR submission endpoint under one apex domain.

$19/ month

  • 15 monitored assets
  • 3 seats
  • 5 min check cadence
  • SSL + DNS + vendor monitoring
  • Email + Slack alerts
Start with Starter
Most chosen

Team

For accounting agencies managing 5-10 CPA firm clients with separate portal.*, efile.*, filings.*, and intake.* subdomains per firm, plus the firm&apos;s primary marketing domain.

$79/ month

  • 60 monitored assets
  • 10 seats
  • 1 min check cadence
  • SSL + DNS + vendor monitoring
  • Email + Slack alerts
Start with Team

Agency

For agencies with a full CPA-vertical client roster including multi-state CPA firms with sales-tax nexus across 45+ states (separate filings.* subdomains per state nexus), SOC 2 Type II-scope client portals, and IRS MeF proxies handling 500+ tax clients per firm during peak tax season.

$199/ month

  • 250 monitored assets
  • Unlimited seats
  • 1 min check cadence
  • SSL + DNS + vendor monitoring
  • Email + Slack alerts
Start with Agency

Compliance

For regulated-vertical teams that need continuous, audit-ready evidence.

$699/ month

  • 500 monitored assets
  • Unlimited seats
  • 1 min check cadence
  • SSL + DNS + vendor monitoring
  • Email + Slack alerts
Start with Compliance

Industries & services

Monitoring for related stacks

Same SSL, DNS, uptime, and vendor monitoring — tuned for every platform your agency ships on.

Know when your IRS MeF e-filing proxy is approaching cert expiry — 30 days before tax season, not 28 days before April 15 with 240+ returns backlogged.

Add your first CPA firm subdomain in under two minutes. Client document portals, IRS MeF e-filing proxies, state DOR submission relays, and client intake forms across every firm in your portfolio are monitored from the same dashboard. 14-day trial, no card required.

Start free for 14 daysOr start free — $0Read the agency SSL checklist →