Domain Expiry Monitoring: Why Your Domain's Expiration Date Is a Security Risk

An expired domain can be registered by anyone -- and used to impersonate your business, intercept your email, or phish your customers. Domain expiry monitoring via RDAP catches this before it happens. Here is how domain registration security works, what Scanward checks, and how to prevent domain hijacking.

The Most Overlooked Expiry Date in IT

SSL certificate monitoring has become standard practice. Most teams have some form of cert expiry alerting in place -- even if it is just a cron job running openssl s_client. But ask the same team when their primary domain registration expires, and you will likely get a blank stare.

This is a mistake. An expired SSL certificate shows visitors a browser warning. An expired domain hands your entire online identity to whoever registers it next. The consequences are not in the same league.

When a domain expires and someone else picks it up, they control everything: your website, your email, your DNS records, your brand. They can set up a convincing phishing site on your exact domain. They can receive password reset emails intended for your employees. They can intercept customer communications. And they can do all of this without breaking into a single system -- because the domain is legitimately theirs.

Domain expiry monitoring exists to make sure this never happens. It is the simplest, most cost-effective way to prevent domain hijacking -- and yet most organizations do not have it in place.

What Happens When a Domain Expires

Domain expiration is not instant. There is a defined lifecycle after the registration period ends, and understanding it explains why some organizations recover and others lose their domains permanently.

The typical timeline after a domain's registration date passes looks like this:

• Auto-renewal period (0-45 days). Most registrars attempt to renew the domain automatically using the payment method on file. If renewal succeeds, nothing changes. If it fails -- expired credit card, insufficient funds, cancelled account -- the domain enters the next phase.
• Grace period (0-45 days). The domain is no longer active, but the original registrant can still renew it at the standard price. DNS resolution may stop. Email stops flowing. Your website goes down. But you can still recover.
• Redemption period (30 days). The domain can still be recovered, but at a significantly higher cost -- typically $100 to $300 on top of the renewal fee. The registrar holds it as a last resort for the original owner.
• Pending delete (5 days). The domain is queued for release back into the general pool. Nobody can renew or register it during this phase.
• Available for registration. Anyone can register the domain on a first-come, first-served basis. Automated systems -- including those run by domain squatters and attackers -- monitor pending-delete lists and snap up valuable domains within seconds of release.

The exact timing varies by registrar and TLD. Some registrars skip the grace period entirely. Some TLDs have shorter redemption windows. The point is that once you miss the auto-renewal window, recovery becomes progressively harder and more expensive -- and eventually impossible.

The real-world consequences of a domain falling through this pipeline are severe:

• Email stops working immediately. MX records resolve to nothing, or worse, to the new owner's mail server. Customer emails bounce, password resets fail, and business communications are silently lost or intercepted.
• Your website goes dark. DNS stops resolving, and every link pointing to your domain -- from Google search results, partner sites, marketing materials, printed collateral -- leads to a dead page or someone else's content.
• SEO rankings are destroyed. Years of search engine optimization vanish. Google treats the domain as a new entity once re-registered by someone else. If you recover the domain later, your backlink profile, domain authority, and rankings need to be rebuilt from scratch.
• Brand trust evaporates. If an attacker registers your expired domain and puts up a phishing site or malware distribution page, your customers and partners associate your brand with the attack. The reputational damage can outlast the incident by years.

Attackers know this lifecycle. They actively monitor domain expiry dates using the same RDAP and WHOIS data that legitimate monitoring tools use. They run automated systems that watch for high-value domains approaching expiration and register them the moment they become available. A domain expiration alert is your defense against this.

Why Domains Expire Accidentally

Nobody plans to let a critical domain expire. It happens because of operational gaps that compound over time.

• The credit card on file expired. This is the single most common cause. A domain was registered with a corporate card that got reissued, cancelled, or reassigned. The registrar's auto-renewal fails silently, and the only notification goes to an email address nobody monitors.
• A former employee registered the domain. The domain was bought years ago by someone who has since left the company. It is tied to their personal registrar account, their personal email, and their personal payment method. Nobody in the current team knows the login credentials, and the renewal notices go to an inbox that no longer exists.
• Acquired company domains fell through the cracks. After a merger or acquisition, the acquiring company inherits dozens of domains registered across multiple registrars, billing accounts, and admin contacts. Without a systematic domain inventory, some of these domains inevitably get missed during consolidation.
• Auto-renewal was disabled by mistake. Someone toggled it off while changing another setting in the registrar's control panel. Or the registrar changed their default settings during a platform migration. Or the domain was transferred to a new registrar that does not enable auto-renewal by default.
• The registrar changed its renewal process. A registrar got acquired, changed billing systems, or updated its API. The payment method on file did not migrate cleanly, and the domain is now set to manual renewal with no valid payment attached.
• Nobody owns the domain inventory. In organizations without a clear owner for domain management -- common in SMBs and mid-market companies -- domain renewals depend on whoever remembers. That is not a process. That is luck.

For MSPs managing client infrastructure, the risk multiplies. Every client potentially has domains across different registrars, different billing accounts, and different admin contacts. Without centralized domain expiry monitoring, the MSP is one missed renewal away from a client's business going offline.

What Is RDAP?

RDAP -- Registration Data Access Protocol -- is the modern replacement for WHOIS. If you have ever run a whois command to look up a domain's registration details, RDAP does the same thing, but better.

WHOIS has been the standard for domain lookups since the 1980s. It works, but it has significant limitations: the output is unstructured plain text that varies between registrars, it has no standardized error handling, it does not support authentication or access control, and it has no internationalization support. Parsing WHOIS output reliably across different registrars is an exercise in frustration.

RDAP, standardized by the IETF in RFC 7480-7484 and mandated by ICANN for all gTLD registries and registrars, fixes these problems:

• JSON-based responses. RDAP returns structured JSON, making it trivially machine-readable. No more regex parsing of free-text WHOIS output.
• Standardized format. Every RDAP server returns data in the same structure, regardless of registrar. The expiration date is always in the same field, in the same format.
• HTTPS transport. RDAP uses HTTPS, providing transport encryption. WHOIS runs over TCP port 43 with no encryption.
• Bootstrapping. RDAP includes a discovery mechanism (via IANA bootstrap files) that automatically directs queries to the correct server for each TLD, eliminating the need to maintain a list of WHOIS servers.
• Access control. RDAP supports differentiated access -- authenticated users can receive more detailed results, while anonymous queries receive rate-limited, privacy-compliant responses.

For domain expiry monitoring, RDAP is the right data source. Scanward queries the RDAP endpoint for each monitored domain to retrieve registration expiry dates, registrar information, and domain status codes -- reliably, in a standardized format, on every scan cycle. This is what makes an automated RDAP domain check practical at scale, where WHOIS parsing never was.

What Scanward Checks

Scanward's domain registration scanner queries RDAP for each monitored domain and evaluates four aspects of domain registration security. Each check starts at a base score of 100, with deductions for issues found.

Registration expiry date

The scanner retrieves the domain's expiration date from RDAP and calculates the number of days remaining. Three alert thresholds apply:

• Less than 90 days remaining: -10 points. This is the early warning. Your domain is approaching its renewal window, and you should verify that auto-renewal is enabled and the payment method on file is current.
• Less than 30 days remaining: -25 points. Your domain is inside the typical auto-renewal window. If auto-renewal has not triggered yet, something may be wrong. Check your registrar account.
• Less than 7 days remaining: -50 points. Your domain is about to expire. Auto-renewal has almost certainly failed. Immediate manual action is required.
• Domain expired: score drops to 0. The domain is past its expiration date and is at risk of being released for registration by anyone.

Registrar lock status

The scanner checks for the clientTransferProhibited status code, commonly known as registrar lock. When enabled, this status prevents the domain from being transferred to another registrar without explicit authorization from the current owner. If registrar lock is not enabled, the score takes a -15 point deduction.

Registrar lock is one of the most important and most under-used domain security controls. Without it, an attacker who gains access to your registrar account -- through credential stuffing, phishing, or social engineering of the registrar's support team -- can transfer the domain to a registrar they control. Once transferred, recovering the domain becomes a legal and procedural nightmare that can take weeks or months.

Registrar identification

The scanner records which registrar currently manages the domain. This is primarily contextual -- it helps you verify that the domain is at the registrar you expect and has not been transferred without your knowledge. It also gives you a quick reference for where to go to manage renewal and lock settings.

Registration date

The scanner records when the domain was originally registered. This is contextual data that provides useful background: a domain registered 15 years ago has a different risk profile than one registered last month. Older domains are more likely to have entrenched operational dependencies and are higher-value targets for hijacking.

Here is the complete scoring breakdown:

The domain registration score is one component of your overall domain security grade. A failing registration score -- especially an expired domain -- will significantly impact your total rating, and rightly so. If you do not control your domain, nothing else matters.

How to Protect Your Domains

Domain registration security is not complicated. It requires attention, not expertise. Here are the practical steps that prevent domain hijacking and accidental expiration.

Enable auto-renewal at your registrar

This is the most basic and most important step. Log into every registrar account where you own domains and verify that auto-renewal is enabled for every domain. Do not assume it is on by default -- some registrars disable it after account changes or domain transfers.

Keep payment information current

Auto-renewal is useless if the payment method on file is expired or cancelled. Set a recurring calendar reminder -- quarterly is reasonable -- to verify that the credit card or payment method attached to each registrar account is still valid. If your organization uses a corporate card, make sure the card replacement process includes updating registrar billing information.

Enable registrar lock

Enable clientTransferProhibited on every domain you own. This is a single click in most registrar control panels, and it prevents unauthorized transfers. There is no reason to leave it disabled unless you are actively in the process of transferring a domain.

Register domains for multiple years

Instead of renewing annually, register your critical domains for 5 or 10 years. The cost difference is minimal -- most domains are $10-15 per year -- and it dramatically reduces the frequency at which renewal can fail. A domain registered for 10 years gives you a decade before the next renewal event.

Use a domain monitoring tool

Even with auto-renewal and current payment info, things go wrong. Registrar billing systems change. Payment processors decline charges for fraud flags. Admin contacts get out of date. An external domain expiry monitoring tool like Scanward acts as your safety net -- it watches your domain's RDAP data independently of your registrar and alerts you when expiration is approaching, regardless of whether auto-renewal is working.

Maintain a domain inventory

You cannot protect domains you do not know about. Build and maintain a complete list of every domain your organization owns, including which registrar manages it, which account it is under, who the admin contact is, and when it expires. For MSPs, this inventory should cover every client domain you manage. Review it quarterly.

Set up email alerts for expiry

Most registrars send renewal reminders, but they send them to the admin contact email on the domain's registration record. If that email address is a former employee's personal account or a defunct shared mailbox, you will never see the alerts. Update the admin contact on every domain to a current, monitored email address -- ideally a group address like [email protected] that survives employee turnover.

The combination of auto-renewal for prevention and external monitoring for verification is the standard for domain registration security. Auto-renewal handles the happy path. Domain expiry monitoring catches everything else.

Putting It All Together

Domain registration is foundational infrastructure. It sits underneath your DNS, your website, your email, your SSL certificates -- everything. If the domain expires, all of those layers collapse simultaneously. And unlike most infrastructure failures, a domain expiration can result in permanent loss of control if someone else registers the domain before you recover it.

The operational discipline required to prevent this is straightforward: enable auto-renewal, keep payment info current, lock your domains, and monitor expiry dates externally. None of this is technically difficult. The hard part is doing it consistently, across every domain, at every registrar, through every employee transition and organizational change.

That consistency is what automated domain expiry monitoring provides. Scanward queries RDAP for every monitored domain on every scan cycle, checks registration expiry, verifies registrar lock status, and alerts you at 90, 30, and 7 days before expiration. The domain registration check is part of a broader domain security grade that also covers SSL certificates, DNS, HTTP security headers, email authentication, and uptime -- giving you a single view of your external attack surface.

Do not wait until your domain expires to find out nobody was watching it.