Domain Expiry Monitoring for Agencies: Stop Losing Client Domains

Why domain expiry is the highest-stakes failure mode agencies face

An expired SSL certificate breaks a website. An expired domain name erases it — or worse, allows someone else to register it.

When a domain expires and is not renewed before the redemption period ends, it returns to the open market. Competitors, domain squatters, and malicious actors actively watch for dropped domains, particularly those associated with established businesses. A client whose company domain is registered by a squatter faces a recovery process that can take weeks and cost thousands — or may not be recoverable at all.

Unlike SSL certificate expiry, which causes a browser warning, domain expiry causes a complete site outage: DNS resolution fails, email stops working, and all services tied to the domain go dark simultaneously. For a client who relies on their domain for business email, this is an immediate operational crisis.

Agencies are responsible for this more often than they should be. The typical scenario: a client asks you to manage their website, your agency is the technical contact for the hosting, but domain registration stays with the client — or was set up years ago by a previous agency. Nobody checks it. The domain renews automatically for two years. Then the credit card on the registrar account expires, the auto-renewal fails, and the domain lapses while everyone assumes the other party is handling it.

The domain lifecycle every agency should understand

Registration and auto-renewal

A domain registration is an annual or multi-year lease. Most registrars default to auto-renewal, which works reliably as long as the payment method on the account is current. The failure modes are:

• Expired credit card: The most common cause of accidental domain lapses. Registrar sends renewal notices to an email address nobody monitors. Auto-renewal fails. The domain enters the grace period.
• Billing account closure: A client closes the email address or credit card account associated with the registrar.
• Registrar account lockout: Password reset issues, two-factor authentication problems, or account deactivation after inactivity.
• Ownership ambiguity: The domain was registered by a previous web agency and the current agency does not have registrar access.

Grace period and redemption period

After expiry, most gTLDs (.com, .net, .org) follow this sequence:

| Phase | Typical duration | What happens | Domain usable? | |---|---|---|---| | Active | Until expiry | Normal operation | Yes | | Grace period | 0–45 days after expiry | Registrar notifies, renewal at normal price | No (DNS usually stops resolving) | | Redemption period | 30 days | Renewal available at elevated fee ($80–200+) | No | | Pending delete | 5 days | Cannot be renewed; deletion queued | No | | Available | After deletion | Domain returns to open registration | No (gone) |

Country-code TLDs (.co.uk, .de, .fr) have different timelines, often shorter. Some ccTLDs drop domains within days of expiry.

The agency responsibility ambiguity problem

The most dangerous configuration for domain expiry is ambiguity about who is responsible for renewal.

In a typical agency-client relationship, responsibilities are divided but not always clearly documented:

• Agency controls: hosting, SSL configuration, DNS records, deployments
• Client controls: domain registrar account, billing, renewal

When both parties assume the other is handling it, neither checks. The domain expires.

Mapping ownership for every client

Build a clear record for each client domain:

| Field | Options | |---|---| | Registrar | Name the registrar explicitly — Namecheap, GoDaddy, Cloudflare Registrar, Google Domains, etc. | | Who pays for renewal | Client direct, agency billing, third-party | | Who has registrar access | Client only, agency only, shared, previous agency | | Auto-renewal status | Enabled / disabled / unknown | | Renewal notice email | The email address the registrar sends to | | Next renewal date | The date you are monitoring |

"Unknown" in any of these fields is a risk. Resolve it with the client, ideally at project onboarding.

Getting the renewal date without registrar access

You do not need registrar access to check a domain's expiry date. WHOIS data includes the expiry date for most gTLDs:

whois example.com | grep "Expiry Date"

For ccTLDs and privacy-protected registrations, WHOIS may not include the date. In those cases, external monitoring tools that track expiry via alternative sources (RDAP, registrar-specific data feeds) are necessary.

Setting alert thresholds for domain expiry

Domain renewal is slower than SSL renewal — you often need to confirm billing details, get client approval for multi-year renewals, and handle transfer paperwork if the domain needs to move registrars. Alert windows should be longer than for SSL.

| Alert level | Days remaining | Recommended action | |---|---|---| | Early warning | 90 days | Confirm auto-renewal is enabled; verify payment method | | Alert | 60 days | Contact client if they control the registrar | | Warning | 30 days | Escalate — begin manual renewal or transfer if needed | | Critical | 14 days | Immediate action; domain may lapse during renewal process | | Emergency | 7 days | Emergency renewal; domain squatting risk is imminent |

Ninety-day early warnings feel distant, but they give you time to handle the common failure scenario: auto-renewal is enabled, but the payment method has expired, and getting updated billing details from a client takes three email exchanges over two weeks.

Domain expiry and SSL: the compounding failure

Domain expiry and SSL expiry are separate events with separate monitoring requirements, but they are operationally linked in one important way: a lapsed domain destroys auto-SSL-renewal.

When a domain expires, DNS resolution fails. Any ACME-based SSL renewal that relies on DNS propagation or HTTP validation will also fail. If your SSL monitoring shows a certificate entering its warning window at the same time a domain is approaching expiry, the risk is compounded: the SSL renewal may silently fail because DNS is broken.

This is why unified monitoring — checking both domain expiry and SSL expiry together — gives you a clearer picture than two separate tools. See the SSL expiry tracking guide for how to structure the SSL side of this.

Including domain expiry in client reporting

Domain registration status is a straightforward addition to monthly client reports. Clients appreciate seeing their domain registration date alongside SSL expiry and DNS health — it makes the "we are watching everything" claim concrete.

For a report format that covers both, see the client website health report template.

What CertPilot monitors for domain expiry

CertPilot checks domain registration expiry daily alongside SSL and DNS monitoring, so you have a unified view of every client domain's health:

• Domain expiry date checked daily via WHOIS and RDAP
• Days remaining with configurable multi-tier alerts
• SSL expiry on the same dashboard, so you catch compounding failures
• DNS health to surface misconfigurations before they block renewals
• Client grouping for portfolio-level views
• PDF reports that include domain expiry alongside SSL and DNS data for client deliverables

Start a 14-day free trial — no credit card required — or run a free 10-domain audit with no account needed.

External references

• ICANN domain expiry policy — the formal ERRP that governs grace and redemption periods for gTLDs
• RDAP (RFC 7483) — the modern replacement for WHOIS used to query registration data
• Verisign domain lifecycle — .com/.net registry timeline data

Related resources

• Domain and hosting renewal checklist for agencies
• Client domain about to expire workflow
• Client asset register for web agencies
• How CertPilot checks domains

Frequently Asked Questions

What should agencies monitor for domain expiry?

Agencies should monitor the registration expiry date, registrar, renewal owner, auto-renewal status when known, and whether public RDAP data is complete.

Domain expiry monitoring agencies rely on should also connect expiry risk to DNS, email, SSL renewal, and client ownership notes.

How early should agencies warn clients about domain expiry?

Ninety days is a practical early warning for client-owned domains because registrar access, payment updates, and ownership questions can take time.

Use shorter escalation windows as expiry approaches, such as 60, 30, 14, and 7 days, depending on the domain's importance.

What if the agency does not control the registrar?

The agency should warn the client, document the ownership boundary, and ask for confirmation that auto-renewal and payment details are current.

Do not promise renewal if the registrar account is outside agency control. The useful role is monitoring, reporting, and clear follow-up.

Should domain renewal be part of agency care plans?

Yes, at least as a documented responsibility. A care plan should state who controls the registrar, who pays for renewal, and how expiry warnings are handled.

Even when the client owns the registrar account, domain health reports help keep the risk visible.