Domain Expiry Monitoring Guide: Protect Your Domain from Lapsing
Learn why domains expire despite auto-renew, how WHOIS monitoring works, what happens during grace and redemption periods, and how to set up domain expiry alerts.
Last updated: 2026-02-17
Why Domain Expiry Is a Bigger Risk Than You Think
Losing your domain is one of the most catastrophic things that can happen to your online presence. It is worse than a server crash, worse than an expired SSL certificate, worse than a database failure. Those can all be fixed in hours. A lost domain can take weeks to recover, if you can recover it at all.
When your domain registration expires, your website disappears, your email stops working, and someone else can register your domain. That someone could be a domain squatter who demands thousands of dollars to sell it back, a competitor who redirects your traffic to their site, or a scammer who sets up a phishing page using your brand.
Despite this, most teams treat domain renewal as a set-and-forget task. They turn on auto-renew and never think about it again. This works until it does not.
How Domain Registration Works
When you register a domain, you are leasing it from a registrar (GoDaddy, Namecheap, Cloudflare, Google Domains, etc.) for a fixed period, typically one to ten years. The registrar records your ownership in the WHOIS database, which is the public registry that maps domain names to registrant information.
Your registration has a specific expiration date. Before that date, you need to renew the registration by paying the registrar for another term. If you do not renew, the domain enters a series of post-expiration periods before eventually becoming available for anyone to register.
WHOIS data is the authoritative source for domain registration information, including expiration dates, registrar details, and nameserver records. Domain monitoring tools query WHOIS to track your domain's status.
Why Auto-Renew Fails
Every registrar offers auto-renewal. You turn it on and the registrar charges your payment method before the domain expires. Simple, reliable, done.
Except auto-renew fails regularly. Here is why:
Expired payment methods. The credit card on file expired, was cancelled due to fraud, or was replaced with a new number. The registrar's charge is declined. Some registrars send a notification to your email. Many do not, or the notification lands in spam.
Changed email addresses. The email address associated with the domain registration belongs to a former employee, a deprecated inbox, or a catchall that nobody monitors. Renewal notices go to a dead address.
Registrar policy changes. Registrars change their pricing, terms, or auto-renewal policies. Some registrars disable auto-renewal if they cannot verify the registrant's contact information, which can change if privacy regulations (like GDPR's impact on WHOIS) alter how contact data is stored.
Account access issues. The person who registered the domain left the company, and nobody has the registrar account credentials. The account might have two-factor authentication tied to their personal phone. You cannot renew what you cannot access.
Registrar transitions. During a domain transfer between registrars, auto-renewal settings on the old registrar are voided. If the transfer completes close to the expiration date, and auto-renewal on the new registrar is not yet configured, the domain can expire.
Administrative holds. ICANN requires registrants to verify their contact information. If you ignore the verification email (or it goes to the wrong address), the registrar can place a clientHold on your domain, which effectively takes it offline even before it expires.
| Auto-Renew Failure Cause | How Common | Typical Detection Time Without Monitoring |
|---|---|---|
| Expired credit card | Very common | Days to weeks (until site goes down) |
| Email to former employee | Common | Weeks to months |
| Registrar policy change | Occasional | Weeks (until renewal period) |
| Lost account access | Occasional | Months (until crisis) |
| Transfer timing issue | Rare but severe | Days (during transfer window) |
What Happens After a Domain Expires
Domain expiration is not instant. Registrars follow a series of post-expiration periods before the domain is released. Understanding these periods is critical because each one narrows your options and increases the cost of recovery.
Auto-Renew Grace Period (0-45 days)
Most registrars provide a grace period after expiration during which you can renew at the normal price. The length varies by registrar and TLD. During this period, your website and email typically stop working because the registrar sets the domain's nameservers to a parking page. You can still renew easily, but your site is already down.
Redemption Grace Period (30 days)
After the auto-renew grace period, the domain enters a redemption period. You can still recover it, but the registrar charges a redemption fee, typically $80 to $200 on top of the renewal cost. The domain is still not available for public registration, but recovering it is expensive and requires contacting your registrar's support team.
Pending Delete (5 days)
After the redemption period, the domain enters a 5-day pending delete phase. During this time, nobody can register or renew it. It is waiting to be released back to the general pool.
Public Availability
The domain is released and anyone can register it on a first-come, first-served basis. Domain squatters use automated tools to snap up expired domains with traffic, backlinks, or brand value within seconds of release. If your domain reaches this stage, recovery becomes a negotiation or legal process.
The total time from expiration to public release varies by TLD and registrar, but it is typically 75-80 days. That sounds like a long safety window. It is not. Your site goes offline at the start, and the cost of recovery increases dramatically at each stage.
Get Alerted Before Your Domain Expires
Site Watcher tracks domain expiry dates via WHOIS and alerts you at 60, 30, 14, and 7 days before expiration. Free for up to 3 targets.
How Domain Expiry Monitoring Works
Domain monitoring tools query the WHOIS database (or RDAP, its modern successor) to retrieve your domain's registration information, including the expiration date. The tool then calculates the number of days until expiry and sends alerts based on your configured thresholds.
The process is straightforward but has some nuances:
WHOIS rate limiting. WHOIS servers rate-limit queries to prevent abuse. Monitoring tools need to cache results and check at reasonable intervals (daily is sufficient for domain expiry, since dates do not change frequently).
RDAP transition. The industry is moving from the traditional WHOIS protocol to RDAP (Registration Data Access Protocol), which returns structured JSON data instead of free-form text. This makes automated parsing more reliable. Good monitoring tools support both protocols.
Privacy protection. Many registrars offer WHOIS privacy, which replaces your personal contact information with the registrar's proxy information. Expiration dates are still available in WHOIS even with privacy protection enabled.
Registrar-specific formats. Different registrars format WHOIS data differently. The expiration date might be labeled "Expiry Date," "Registry Expiry Date," or "paid-till." Monitoring tools need to parse multiple formats reliably.
Setting Up Domain Expiry Monitoring
Audit All Your Domains
Most organizations own more domains than they think. Beyond your primary domain, check for: regional TLD variants (.co.uk, .de, .jp), common misspellings you have registered defensively, legacy domains from previous brand names, and domains used for internal services. Make a complete list.
Centralize Registrar Information
For each domain, document: the registrar, the account holder, the email address on file, the payment method, the auto-renewal status, and the current nameservers. If multiple people registered domains over the years using personal accounts, this audit alone may reveal domains at risk.
Configure Multi-Stage Alerts
Set alerts at multiple thresholds to create an escalation sequence. A recommended cadence: 90 days (early awareness, verify renewal process), 60 days (confirm auto-renew is active and payment method is valid), 30 days (action required if not already renewed), 14 days (escalation, manual renewal if auto-renew has not triggered), and 7 days (emergency, renew immediately).
Verify Auto-Renew and Payment
For each domain, log into the registrar and confirm that auto-renewal is enabled and the payment method is current. This is a manual step, but it only needs to happen once. After that, monitoring alerts will catch any issues.
Establish a Renewal Runbook
Document the renewal process for each registrar you use. Include login URLs, account credentials location, payment update procedures, and escalation contacts. When a 14-day alert fires, the person responding should not have to figure out how to renew from scratch.
Alert Cadence: Balancing Early Warning and Alert Fatigue
The right alert cadence depends on your organization's response time and the criticality of the domain.
For your primary business domain, alert early and often. A 90-day first alert is not too early. This gives you ample time to verify auto-renew, update payment methods, or coordinate with a registrar. Follow up at 60, 30, 14, and 7 days.
For defensive registrations (misspelling domains, alternate TLDs), a 30-day alert is sufficient. These domains are important but not operationally critical. You want to renew them, but a few days of delay will not cause an outage.
For expiring domains you plan to drop, set a reminder at 30 days and then disable monitoring. You do not want recurring alerts for a domain you have intentionally decided not to renew.
| Alert Threshold | Purpose | Action Required |
|---|---|---|
| 90 days | Early awareness | Verify registrar account and payment method |
| 60 days | Pre-renewal check | Confirm auto-renew is active |
| 30 days | Action window | Manually renew if auto-renew has not triggered |
| 14 days | Escalation | Escalate to management; contact registrar support if needed |
| 7 days | Emergency | Drop everything and renew immediately |
Domain Monitoring Beyond Expiry
Comprehensive domain monitoring covers more than just the expiration date.
Nameserver changes. If your domain's nameservers change without authorization, your entire DNS configuration can be hijacked. Monitoring nameserver records detects unauthorized transfers or social engineering attacks against your registrar.
Registrar lock status. Most registrars offer a domain lock that prevents unauthorized transfers. If the lock is removed without your knowledge, someone may be attempting to transfer your domain away. Monitoring the lock status adds a layer of protection.
WHOIS contact changes. Unauthorized changes to the WHOIS registrant contact can be the first step in a domain hijacking attack. If the attacker changes the email address, they can then approve a transfer to a different registrar.
DNS resolution verification. Beyond monitoring the registration itself, verify that the domain actually resolves to your expected IP addresses. This catches issues that occur between the registrar and your DNS provider.
Real-World Domain Expiry Disasters
These are not hypothetical scenarios. They have happened to major organizations.
In 2003, Microsoft let hotmail.co.uk expire. A random person registered it and received email intended for millions of Hotmail users in the UK. In 2015, the Dallas Cowboys let dallascowboys.com expire briefly, and it was picked up by a domain squatter. Google itself accidentally let its Argentinian domain (google.com.ar) lapse temporarily in 2013.
If Google can lose a domain, anyone can. The common thread in all these cases is the same: the team responsible assumed auto-renewal would handle it, and nobody was monitoring the expiration date independently.
These organizations had massive IT departments. They had budgets. They had processes. What they did not have was an automated alert that said "your domain expires in 30 days and auto-renewal has not triggered."
Consolidating Domain Management
If your domains are spread across multiple registrars, consolidation reduces risk. A single registrar means one payment method to maintain, one account to secure, and one interface to monitor.
However, consolidation also creates a single point of failure. If your one registrar has an issue (outage, security breach, policy change), all your domains are affected. Some organizations intentionally keep critical domains at separate registrars for resilience.
The right approach depends on your risk tolerance and operational capacity. Either way, monitoring is non-negotiable. Whether you have one registrar or five, automated expiry alerts catch the issues that manual processes miss.
Auto-renewal is a convenience, not a guarantee. Domain expiry monitoring is the safety net that catches every failure mode auto-renewal cannot.
Domain Monitoring Alongside Everything Else
Site Watcher tracks domain expiry, SSL certificates, uptime, DNS records, and vendor dependencies. $39/mo unlimited. Free for up to 3 targets.