Vantaj
Back to blog
Infrastructure

Your Domain Has an Expiry Date and Nobody Is Watching It

Domain expiry is one of the most overlooked risks in infrastructure. Learn how forgotten renewals lead to outages, hijacking, and lost revenue.

·May 22, 2026 Updated June 4, 2026

In 2023, a well-known fintech startup lost access to their primary domain for 72 hours. Not because of a DNS attack. Not because of a hosting failure. Because someone's corporate credit card expired and the domain registrar couldn't process the auto-renewal payment.

Three days offline. Emails bouncing. API clients returning connection errors. Customer trust - gone.

Domain expiry is one of those risks that feels too basic to worry about. Until it happens.

Why domains expire when they shouldn't

The credit card problem

Most domain registrations are tied to a single payment method - usually a corporate credit card. Cards expire. Cards get canceled when employees leave. Finance departments issue new cards and forget to update the registrar.

The registrar sends a payment failure email. It lands in someone's inbox. That someone is on vacation, or has left the company, or the email goes to a shared inbox nobody checks.

The ownership problem

Who owns the domain? In a two-person startup, everyone knows. In a 50-person company, it gets murky. The domain might be registered under a founder's personal account. Or under a former CTO's email. Or through an agency that built the original website.

When renewal time comes around, the notification goes to whoever registered the domain - and that person might not work there anymore.

The "it's handled" assumption

Auto-renewal creates a dangerous false sense of security. Teams assume it's on and stop thinking about it. But auto-renewal can be turned off accidentally. Registrar policies change. Payment methods expire. And some TLDs have manual renewal processes that auto-renewal doesn't cover.

What happens when a domain expires

The consequences of domain expiry are worse than most teams realize:

Phase 1: Grace period (0–30 days)

Most registrars offer a grace period after expiry. Your domain stops resolving (your website and email go down), but you can still renew at the normal price. This is the window where most domains get recovered - usually in a panic.

Phase 2: Redemption period (30–60 days)

If you miss the grace period, the domain enters redemption. You can still get it back, but it costs significantly more - sometimes hundreds of dollars on top of the renewal fee. And your site has been down for a month.

Phase 3: Pending delete (60–75 days)

After redemption, the domain enters a pending delete queue. Once it drops, anyone can register it.

Phase 4: Someone else owns your domain

This is the nightmare scenario. Domain squatters and automated bots watch for expiring domains, especially ones with existing traffic and backlinks. Your domain gets snatched, and now you're negotiating with a squatter to buy back your own brand. Or worse - they put up a phishing page.

Beyond expiry: DNS and WHOIS changes matter too

Domain monitoring isn't just about the expiry date. Unexpected changes to DNS records or WHOIS data can signal serious problems:

DNS record changes

  • Nameserver changes could mean someone transferred your domain without authorization
  • A/AAAA record changes could redirect your traffic to a different server
  • MX record changes could reroute your email to an attacker
  • TXT record changes could break your SPF/DKIM/DMARC email authentication

WHOIS changes

  • Registrant changes could indicate an unauthorized domain transfer
  • Registrar changes could mean the domain was moved to a new provider
  • Nameserver changes in WHOIS confirm DNS-level changes at the registry level

These changes can happen through compromised registrar accounts, social engineering attacks, or even registrar-level vulnerabilities. Monitoring them gives you early warning before the damage spreads.

What good domain monitoring looks like

Multi-stage expiry alerts

A single "your domain expires tomorrow" email isn't useful. By then, it's a fire drill. Good monitoring gives you alerts at 30, 14, and 7 days out - enough time to investigate, fix payment issues, and verify the renewal.

DNS change tracking

Every DNS record change should be logged with before-and-after values and a timestamp. When something breaks, you can immediately see what changed and when, instead of guessing.

WHOIS monitoring

Track registrant information, nameservers, and registrar details. Changes to any of these fields should trigger an alert - they're rare enough that any change is worth investigating.

Unified dashboard

Domain health should live alongside your uptime and SSL monitoring, not in a separate tool. When your website goes down, you want to see uptime status, SSL validity, and domain registration status in one place - not switching between three dashboards.

A practical domain monitoring checklist

  1. Inventory every domain your company owns. Include the primary domain, marketing domains, product domains, and any domains you've registered defensively. Don't forget country-code TLDs.
  2. Verify the registrant contact. Make sure it's a current team email - not a personal address, not a former employee's email.
  3. Check the payment method. Log into your registrar and verify the card on file is current and won't expire before your next renewal date.
  4. Enable monitoring. Add every domain to your monitoring tool. Set up expiry alerts and DNS change tracking.
  5. Monitor domains you don't own but depend on. If your product integrates with a third-party API, their domain expiry is your problem too.
  6. Review quarterly. Set a calendar reminder to check your domain portfolio every quarter. New domains get added, old ones get forgotten - a regular review catches the gaps.

Don't wait for the wake-up call

Domain expiry is completely predictable and completely preventable. The expiry dates are public information. The renewal process is straightforward. The monitoring is simple.

Yet it still takes companies offline every single day, because nobody was watching.

Add your domains to a monitoring tool. Set up the alerts. Verify your payment methods. It takes five minutes, and it prevents one of the most embarrassing outages your team can have.

Because explaining to your CEO that the entire company went offline because nobody renewed the domain is a conversation you never want to have.