Your servers can be healthy. Your database can be fast. Your certificates can still have 70 days left. Your CDN can be green in every region. And then the domain expires.
When that happens, everything above the domain collapses. The website stops resolving. Email stops routing. OAuth callbacks fail. Webhooks bounce. Password reset links break. Customers do not see a tidy "maintenance" page; they see DNS errors, parked-domain pages, or a registrar notice that makes the company look abandoned.
This is the worst kind of outage because it is almost always preventable. Domain expiry does not happen in milliseconds. It announces itself for months through WHOIS and RDAP data, registrar notices, and expiration fields. The problem is that many teams monitor the application, the SSL certificate, and the cloud provider, but not the one asset all of it depends on: the domain registration itself.
This guide covers domain expiry and WHOIS monitoring in production: what to monitor, how domain-expiry incidents happen, which dates matter, how registrar locks and nameservers drift, and how to build alert thresholds that give the right people enough time to renew before users ever notice.
Why Domain Expiry Is Different From SSL Expiry
SSL certificate expiry is bad, but it usually affects one hostname or one certificate chain. Domain expiry affects the entire namespace:
www.example.comstops resolvingapi.example.comstops resolvingapp.example.comstops resolving- MX records stop resolving, so email breaks
- DKIM/SPF/DMARC lookups stop resolving, so deliverability breaks
- OAuth redirect URIs and webhook callback URLs fail
- Users may see registrar parking pages instead of your brand
The two failures are often conflated because both involve dates and certificates. They are not the same. Certificate expiry is covered in SSL Certificate Expiration: The Preventable Outage. Domain expiry is one layer lower: the name itself is gone or suspended.
The operational difference:
| Failure | What breaks | Detection surface |
|---|---|---|
| SSL certificate expiry | TLS handshake or browser trust | Certificate notAfter date |
| Domain expiry | DNS delegation, web, email, brand trust | WHOIS/RDAP expiration date |
| Nameserver delegation drift | DNS answers change or vanish | Registrar NS records vs expected NS |
| Registrar lock removed | Domain transfer risk | WHOIS/RDAP status codes |
You need all of these monitored separately.
Famous Domain Expiry Outages
This is not a theoretical failure mode.
- Microsoft Hotmail UK (2003) -
hotmail.co.ukexpired and was renewed by a private individual before being returned. - Foursquare (2010) - the
foursquare.comdomain briefly expired because renewal notices were missed. - Marketo (2017) - a domain lapse caused service disruption until a customer noticed and renewed the domain.
- HBO Now (2017) - a domain expiration affected HBO's streaming service.
- Sorenson Media (2018) - a domain lapse contributed to service availability issues during a bankruptcy period.
The pattern is consistent: the domain is managed outside the normal deploy path, owned by a small set of people, renewed through an aging billing setup, and ignored until it fails.
How Domains Expire in Real Companies
1. Auto-renew fails
The domain has auto-renew enabled, but the card on file expired, the billing contact left, or the registrar payment processor flagged the transaction. Everyone assumed auto-renew was enough.
Monitoring answer: expiration-date alerts at 60, 30, 14, 7, and 1 days out. Auto-renew is a convenience, not a control.
2. Renewal email goes to an abandoned mailbox
admin@example.com or an old employee's email receives the registrar notices. The mailbox is unmonitored, disabled, or filtered.
Monitoring answer: alert the engineering/on-call path from RDAP/WHOIS, not just the registrar billing contact.
3. Ownership transfer gets stuck
A domain transfer between registrars or corporate entities begins, then stalls in pending status. The domain still resolves today, but expiry approaches while nobody owns the renewal workflow.
Monitoring answer: track registrar, registrant organization, and domain status codes. Alert when registrar changes or transfer-related status appears unexpectedly.
4. ICANN verification is missed
Some registrar contact changes trigger verification requirements. If the contact is not verified, the domain can be suspended.
Monitoring answer: watch RDAP/WHOIS status and registrar notices, and keep admin contact emails current.
5. Domain portfolio sprawl
The main .com is renewed, but country-code domains, campaign domains, short links, branded auth domains, and API vanity domains are forgotten.
Monitoring answer: keep a domain inventory and monitor all production-impacting domains, not just the primary apex.
WHOIS and RDAP: The Monitoring Surface
WHOIS is the older protocol. RDAP (Registration Data Access Protocol) is the modern HTTP/JSON replacement used by many registries and registrars.
For monitoring, you care about:
| Field | Why it matters |
|---|---|
| Expiration date | The headline renewal risk |
| Registrar | Unexpected registrar change can signal transfer or acquisition drift |
| Nameservers | Delegation determines where DNS answers come from |
| Domain status | clientTransferProhibited, serverHold, redemptionPeriod, etc |
| Updated date | Unexpected recent change may indicate admin action or compromise |
| Registrant organization | Ownership drift after acquisition or rebrand |
Prefer RDAP where available because it is structured JSON. Fall back to WHOIS parsing for registries that do not expose complete RDAP.
Example RDAP fields:
{
"ldhName": "example.com",
"events": [
{ "eventAction": "expiration", "eventDate": "2027-08-14T04:00:00Z" },
{ "eventAction": "last changed", "eventDate": "2026-01-10T12:20:00Z" }
],
"status": ["client transfer prohibited"],
"nameservers": [
{ "ldhName": "ns1.example-dns.com" },
{ "ldhName": "ns2.example-dns.com" }
]
}
Registrar Lock and Transfer Status
Domain expiry is not the only registrar-layer risk. Monitor status codes too.
Common healthy production status:
clientTransferProhibited- prevents unauthorized transferclientUpdateProhibited- optional, prevents unauthorized updatesclientDeleteProhibited- optional, prevents unauthorized deletion
Dangerous or urgent statuses:
redemptionPeriod- domain expired and is in recovery windowpendingDelete- domain may soon be releasedserverHold/clientHold- domain is not published in DNSpendingTransfer- transfer in progress
Alert if a production domain loses transfer lock or enters any hold/redemption/pending-delete state.
Nameserver Delegation Monitoring
The domain registration points to authoritative nameservers. If those change, every DNS record can effectively change even if your DNS provider zone is untouched.
Monitor the registrar-level NS set:
Expected:
ns1.dns-provider.com
ns2.dns-provider.com
Observed:
ns1.dns-provider.com
ns2.dns-provider.com
Alert when:
- Any expected nameserver disappears
- Any unknown nameserver appears
- Nameserver count changes
- Parent-zone delegation differs from the records inside your DNS zone
This pairs with DNS Monitoring: The Overlooked Foundation of Website Reliability and the DNS deep-dive sibling post: DNS Propagation, CAA & DNSSEC Monitoring.
Monitoring Intervals and Thresholds
Domain expiry moves slowly, so the check interval can be slower than uptime checks. The alert thresholds should be aggressive enough to route to people who can act.
Recommended thresholds:
| Days until expiry | Severity | Action |
|---|---|---|
| 90 | Info | Confirm ownership and auto-renew |
| 60 | High | Renewal owner confirms billing |
| 30 | High | Escalate if no renewal ticket |
| 14 | Critical | Page domain owner and engineering lead |
| 7 | Critical | Renew manually; do not trust auto-renew |
| 1 | Emergency | Executive escalation, registrar support |
Check frequency:
- Primary production domains: daily
- Secondary production domains: daily or every 2 days
- Campaign and parked domains: weekly
- Subdomains: DNS monitoring, not WHOIS (subdomains do not have independent registrar expiry)
Domain Inventory: The Part Everyone Skips
Monitoring only works if you know which domains matter.
Build an inventory:
| Domain | Purpose | Registrar | Owner | Renewal contact | Impact |
|---|---|---|---|---|---|
example.com |
Primary web/app/email | Registrar A | Platform | infra@example.com | Critical |
example.io |
Product redirects | Registrar B | Marketing | growth@example.com | High |
exmpl.link |
Short links | Registrar C | Growth | growth@example.com | High |
example-status.com |
External status page | Registrar A | Support | support@example.com | Medium |
Track domains used for:
- Primary website
- API endpoints
- Auth redirects
- Status pages
- Email sending
- Short links
- CDN custom hostnames
- Customer-facing docs
- Regional domains
- Marketing campaigns
The status page domain matters too. If your main domain is down because it expired, a status page on the same domain cannot communicate the incident. See How to Build a Status Page Customers Trust.
What to Alert On
Critical (page)
- Domain expires in <= 14 days
- Domain status includes
redemptionPeriod,pendingDelete,clientHold, orserverHold - Registrar-level nameservers changed unexpectedly
- RDAP/WHOIS lookup fails for a production domain for > 24 hours
High (notification)
- Domain expires in <= 60 days
- Auto-renew status is disabled or unknown for production domain
- Registrar changed unexpectedly
- Transfer lock status removed
- Registrant organization changed
Informational
- Domain expires in <= 90 days
- WHOIS/RDAP updated date changed
- New domain added to inventory without owner
See Alert Fatigue: Notifications That Get Acted On for making these alerts actionable.
Incident Runbook: If Expiry Is Close
- Identify registrar and account owner.
- Log in and renew manually. Do not wait for auto-renew.
- Confirm payment method and renewal receipt.
- Verify domain status is not
clientHold,serverHold,redemptionPeriod, orpendingDelete. - Confirm parent-zone nameservers match expected.
- Run DNS checks for apex,
www, API, MX, and status-page domains. - Confirm TLS certificates still validate after DNS recovers.
- Communicate via status page and incident channels.
See Incident Runbook Template and Incident Escalation Policy for the incident process.
Domain Expiry Monitoring Checklist
- Production domain inventory exists
- Registrar, owner, renewal email, and business impact recorded per domain
- RDAP/WHOIS expiration date monitored daily
- Alert thresholds at 90/60/30/14/7/1 days
- Registrar status codes monitored
- Transfer lock (
clientTransferProhibited) expected on critical domains - Nameserver delegation monitored at registrar/parent level
- Auto-renew enabled but not trusted as the only control
- Renewal payment method owned by a team account, not one employee
- Status page domain is separate from primary production domain where possible
- SSL expiry monitoring configured separately
- DNS propagation monitoring configured separately
How Webalert Helps With Domain Expiry Monitoring
Webalert can monitor the domain layer alongside HTTP and DNS checks:
- Domain expiry checks - Monitor RDAP/WHOIS expiration dates and alert at 60/30/14/7/1 days.
- DNS checks - Confirm the domain still resolves from multiple regions.
- Nameserver monitoring - Alert when authoritative nameservers drift from expected values.
- HTTP monitoring - Catch the user-visible failure if a domain resolves to a parking page or registrar hold page.
- Content validation - Assert the homepage contains your expected brand content, not a registrar landing page.
- Multi-channel alerts - Email, SMS, Slack, Discord, Microsoft Teams, webhooks.
- Status page - Communicate domain/DNS incidents separately from application incidents.
Example Webalert configuration:
- Domain:
example.com - Expiry alerts: 60, 30, 14, 7, 1 days
- Expected nameservers:
ns1.provider.com,ns2.provider.com - HTTP check:
https://www.example.com/ - Content must contain: your expected homepage marker
- Escalation: domain owner + platform on-call
See features and pricing for details.
Summary
- Domain expiry is worse than SSL expiry because it takes down web, API, email, OAuth, webhooks, and brand trust at once.
- Auto-renew is not a monitoring strategy. Billing failures, abandoned contact emails, transfers, and ICANN verification issues still happen.
- Monitor RDAP/WHOIS expiration dates, registrar status codes, transfer lock, and nameserver delegation.
- Alert at 90/60/30/14/7/1 days, with critical escalation at 14 days and below.
- Keep a domain inventory that includes primary, regional, campaign, short-link, status-page, and email-sending domains.
- Pair domain monitoring with SSL certificate monitoring and DNS propagation monitoring.
The cheapest infrastructure incident is the one you prevent 60 days before anyone can feel it.