The call came at 6 AM on Monday.
"The website is down."
I checked the servers. Running fine. Checked the load balancers. Healthy. Checked the application logs. Normal traffic until Saturday, then... nothing.
Then I checked the domain.
It had expired on Friday. We were in the grace period, but the DNS had already stopped resolving. Some registrars do that — stop service immediately, then give you 30 days to renew at penalty rates.
We renewed within the hour. DNS took another few hours to propagate. By the time everything was working, we'd lost three days of business, countless emails had bounced, and our customers thought we'd shut down.
The worst part? The renewal email had gone to an employee who left two years ago.
How Domains Get Lost
Domain expiration seems like it should be impossible to miss. It happens once a year. Registrars send reminder emails. Auto-renewal exists.
And yet, it happens constantly. Here's how:
The email goes to the wrong person. Domains are registered by individuals, often during company formation. That person leaves. The email goes to a dead inbox or a personal account they no longer check.
The credit card expires. Auto-renewal is enabled, but the card on file expired. The renewal fails. The registrar sends a notification — to that same email address nobody checks.
The company changes registrars. During the migration, some domains get transferred. Others don't. The old registrar still has a few domains on auto-renew, but nobody's watching that account anymore.
Acquisitions and mergers. Company A buys Company B. Company B's domains are somewhere in the pile of assets to transfer. A year later, one of those domains expires because nobody added it to Company A's renewal process.
Shadow IT domains. Marketing registered a domain for a campaign. IT doesn't know about it. When marketing's project owner leaves, the domain becomes orphaned.
International complications. The European subsidiary registered .eu domains. The US parent company has no visibility into that account.
The True Cost of Losing a Domain
"We'll just renew it when we notice."
Maybe. If you're lucky. But consider what happens in the meantime:
Business interruption. Your website is down. Email doesn't work. API endpoints return DNS errors. Customers think you've gone out of business.
Reputation damage. In 2024, a website going down means Google indexes a "this site can't be reached" page. Social media fills with "is [company] dead?" posts. Trust, once lost, takes months to rebuild.
Email loss. Emails sent to your domain bounce. You don't know who tried to contact you. Support tickets, sales inquiries, invoice payments — all bounced somewhere into the void.
SEO impact. Days of downtime hurt search rankings. Backlinks return errors. Google's crawler sees a dead site. Recovering organic traffic takes longer than recovering the domain.
Domain sniping. Opportunists watch for expiring valuable domains. If yours lapses past the grace period, it might be snatched by a competitor, domain investor, or scammer. Now you're negotiating to buy back your own domain — often for thousands of dollars.
Phishing risk. If someone else gets your old domain, they can impersonate you. Send emails from "your" company. Host a fake version of your website. Your customers become targets.
The Registrar's Email Problem
"But the registrar sends renewal reminders!"
They do. To an email address that was set when the domain was registered, possibly years ago. By someone who may no longer work at your company. Into an inbox that may no longer exist.
Even if the email address is current, registrar emails look like spam:
- "Action Required: Domain Renewal" (looks like a phishing attempt)
- Sent from noreply@registrar-you-forgot-you-use.com
- HTML-heavy marketing layout
- Landing in promotions or spam folders
I've talked to companies who learned their domain expired from customer complaints, not from registrar emails. The emails were there — just never seen.
Building Your Own Monitoring
Don't rely solely on registrar notifications. Monitor domain expiration yourself.
async function monitorDomainExpirations(domains) {
const alerts = {
critical: [], // Expires in <= 7 days
warning: [], // Expires in <= 30 days
upcoming: [], // Expires in <= 90 days
healthy: [] // More than 90 days
};
for (const domain of domains) {
const response = await fetch(
`https://api.apiverve.com/v1/domainexpiration?domain=${domain}`,
{ headers: { 'x-api-key': 'YOUR_API_KEY' } }
);
const { data } = await response.json();
const entry = {
domain: domain,
expirationDate: data.expirationDate,
daysRemaining: data.daysRemaining,
registrar: data.registrar
};
if (data.daysRemaining <= 7) {
alerts.critical.push(entry);
} else if (data.daysRemaining <= 30) {
alerts.warning.push(entry);
} else if (data.daysRemaining <= 90) {
alerts.upcoming.push(entry);
} else {
alerts.healthy.push(entry);
}
}
// Send alerts through your normal channels
if (alerts.critical.length > 0) {
sendPagerDutyAlert(alerts.critical);
}
if (alerts.warning.length > 0) {
sendSlackAlert('#ops', alerts.warning);
}
return alerts;
}
Run this daily. Put it in the same monitoring system you use for server health. Treat a domain expiring in 30 days with the same urgency as a disk filling up.
The Complete Domain Inventory
Before you can monitor domains, you need to know what you have.
You'd be surprised how many companies don't have a complete list. Domains live in different registrar accounts. Some were registered before the current IT team arrived. Some are for products that no longer exist.
Here's how to find them:
Check registrar accounts. Log into every registrar account you know about. GoDaddy, Namecheap, Google Domains, Cloudflare, Route 53. Export the domain lists.
Check DNS records. Your authoritative DNS might reference domains you've forgotten. Check for domains pointing to your IP ranges.
Check SSL certificates. Certificate Transparency logs show all domains with SSL certificates issued.
Check company records. Legal documents, incorporation papers, trademark registrations — these often reference domains.
Ask people. Marketing, legal, product managers. "Do you know of any domains the company owns that might not be on the IT list?"
Once you have the list, verify ownership:
import requests
def audit_domain_portfolio(domains):
"""
Audit company domain portfolio.
Returns comprehensive status for each domain.
"""
report = []
for domain in domains:
# Get expiration info
exp_response = requests.get(
'https://api.apiverve.com/v1/domainexpiration',
params={'domain': domain},
headers={'x-api-key': 'YOUR_API_KEY'}
)
exp_data = exp_response.json()['data']
# Get WHOIS info for ownership verification
whois_response = requests.get(
'https://api.apiverve.com/v1/whoislookup',
params={'domain': domain},
headers={'x-api-key': 'YOUR_API_KEY'}
)
whois_data = whois_response.json()['data']
report.append({
'domain': domain,
'expires': exp_data['expirationDate'],
'days_remaining': exp_data['daysRemaining'],
'registrar': exp_data['registrar'],
'registrant': whois_data.get('registrant', 'Unknown'),
'admin_email': whois_data.get('adminEmail', 'Unknown'),
'nameservers': whois_data.get('nameservers', []),
'status': 'ok' if exp_data['daysRemaining'] > 90 else 'needs_attention'
})
return report
# Generate audit report
portfolio = [
'company.com',
'company.net',
'company.io',
'product-name.com',
'old-acquisition.com'
]
report = audit_domain_portfolio(portfolio)
# Flag issues
for entry in report:
if entry['admin_email'] == 'Unknown' or '@company.com' not in str(entry['admin_email']):
print(f"Warning: {entry['domain']} - admin email not company-controlled")
if entry['days_remaining'] < 90:
print(f"Alert: {entry['domain']} expires in {entry['days_remaining']} days")
The Multi-Year Registration Strategy
One of the simplest protections: register important domains for multiple years.
Instead of renewing annually, register for 5 or 10 years. This:
- Reduces renewal frequency (fewer chances to miss)
- Locks in current pricing
- Signals domain stability (minor SEO benefit)
- Provides buffer against payment failures
Yes, it costs more upfront. But compare the cost of $150 for 10 years of .com registration against the cost of three days of business interruption. The math isn't close.
The Registrar Consolidation Strategy
Domains scattered across five registrars with different login credentials, different payment methods, and different notification settings are domains waiting to be forgotten.
Consolidate. Pick one registrar for your organization. Transfer everything there.
Benefits:
- Single dashboard for all domains
- Single payment method to maintain
- Single notification setting
- Single place to check expiration dates
The transfer process takes about a week per domain (ICANN mandates a waiting period). Yes, it's tedious. Do it anyway.
Auto-Renewal: Necessary but Not Sufficient
Auto-renewal should be enabled on all domains. But it's not a complete solution.
Auto-renewal fails when:
- Payment method expires
- Payment is declined (card fraud protection)
- Registrar account is closed
- Registrar goes out of business
- Domain is under legal hold
Don't disable auto-renewal. But don't rely on it exclusively either. Monitoring catches the cases auto-renewal misses.
The Renewal Playbook
When a domain is approaching expiration:
90 days out: Verify auto-renewal is enabled. Verify payment method is valid. Add to calendar.
60 days out: First alert. If auto-renewal is working, this is informational. If not, you have two months to fix it.
30 days out: Second alert. Someone should verify the renewal will happen. Log into the registrar, check status.
14 days out: Escalation. If renewal hasn't been confirmed, this becomes urgent. Renew manually if necessary.
7 days out: Critical. If still not resolved, this is an incident. Drop everything and fix it.
Expiration day: If you've reached this point with a critical domain, something is very wrong with your process.
When Domains Do Expire
If a domain does expire, act immediately:
During grace period (0-30 days post-expiration): Renew normally. May require paying a late fee. DNS may or may not be down depending on registrar.
During redemption period (30-60 days post-expiration): Renewal is expensive — often $100-200+ on top of normal renewal. The domain is pending delete but still recoverable.
After redemption (60+ days post-expiration): Domain is released to the public. If it's valuable, it's probably already been grabbed by domain investors or competitors. Recovery now means buying from whoever got it.
Know these timelines. They vary slightly by registrar and TLD, but the general pattern is consistent.
The Delegation Problem
"IT handles the domains" isn't a plan. IT needs to know which domains matter most, who to contact about renewals, and who makes decisions about domain purchases and retirements.
Document:
- Domain owner: Who is responsible for this domain?
- Purpose: What is this domain used for?
- Criticality: How bad is it if this domain goes down?
- Renewal contact: Who should be notified about renewals?
- Renewal approver: Who can authorize renewal payments?
For critical domains (main website, email, API endpoints), renewals should involve multiple people. No single point of failure.
Integration with Existing Monitoring
Domain expiration should be part of your existing ops monitoring, not a separate system that requires remembering to check.
# Example: Prometheus/Grafana integration
import requests
from prometheus_client import Gauge
domain_days_remaining = Gauge(
'domain_expiration_days',
'Days until domain expires',
['domain']
)
def update_domain_metrics(domains, api_key):
"""Update Prometheus metrics for domain expiration."""
for domain in domains:
response = requests.get(
'https://api.apiverve.com/v1/domainexpiration',
params={'domain': domain},
headers={'x-api-key': api_key}
)
data = response.json()['data']
domain_days_remaining.labels(domain=domain).set(data['daysRemaining'])
# Run daily via cron, alert in Grafana when any domain < 30 days
When domain expiration triggers the same alerts as CPU spikes or error rate increases, it won't be forgotten.
The Bottom Line
Losing a domain is embarrassing. It's preventable. It's usually the result of process failure, not technical failure.
The domain didn't expire because of a bug. It expired because nobody was watching.
Build monitoring that doesn't rely on registrar emails reaching the right person. Consolidate domains so you have a single place to check. Use multi-year registration to reduce risk. Enable auto-renewal, then verify it's actually working.
Your domain is your identity on the internet. Protect it like you protect your servers — with redundancy, monitoring, and clear ownership.
Don't be the company that learned about their expired domain from a customer complaint.
Ready to monitor your domain portfolio? The Domain Expiration API returns expiration dates and days remaining for any domain. The WHOIS Lookup API helps verify ownership and contact information. Set up automated monitoring before the next renewal slips through the cracks.
Originally published at APIVerve Blog
Top comments (0)