What happens when a domain expires?
When a domain passes its expiry date, it does not immediately become available for anyone to register. Instead, it moves through a series of phases defined by ICANN and enforced by your registrar. Understanding these phases is essential for knowing how much time you have to recover a lapsed domain, and how quickly an attacker could claim it.
- Grace period (0 to 45 days): Most registrars offer a renewal grace period after expiry. During this window, the original registrant can renew the domain at the standard price. DNS resolution may stop working, but the domain is still yours to reclaim.
- Redemption period (30 days): If you miss the grace period, the domain enters a redemption phase. You can still recover it, but the registrar will charge a significantly higher redemption fee, often several hundred pounds. The domain is locked and cannot be transferred during this time.
- Pending delete (5 days): After redemption expires, the domain enters a five-day pending delete phase. It cannot be renewed or recovered during this window. The registry is preparing to release it.
- Public release:The domain drops back into the general pool and becomes available for anyone to register on a first-come, first-served basis. Automated “drop catching” services monitor these releases and can snap up valuable domains within milliseconds.
Use our Domain Renewal Checker to see exactly when your domains are due for renewal and whether they are at risk of lapsing.
The domain lifecycle
Every domain follows the same lifecycle, from initial registration through to eventual expiry or renewal. The timeline below summarises the key phases and their typical durations for gTLDs (.com, .org, .net). Country-code TLDs such as .co.uk or .de may have different grace and redemption windows; always check with your registrar for the specific rules that apply.
| Phase | Duration | What happens |
|---|---|---|
| Active registration | 1 to 10 years | Domain resolves normally. DNS, email, and web services all function. |
| Renewal grace period | 0 to 45 days | Domain can be renewed at standard price. DNS may stop resolving. |
| Redemption period | 30 days | Recovery possible at a premium fee. Domain is locked. |
| Pending delete | 5 days | No recovery possible. Registry prepares the domain for release. |
| Public release | Immediate | Anyone can register the domain. Drop catchers may claim it in milliseconds. |
Understanding WHOIS and RDAP data
WHOIS is the original protocol for querying domain registration information. It returns plain-text records that include the registrant's name, organisation, creation date, expiry date, name servers, and registrar details. RDAP (Registration Data Access Protocol) is the modern replacement, offering structured JSON responses with better support for internationalisation and access control.
Key fields to pay attention to in a WHOIS or RDAP response:
- Registry Expiry Date: The date the domain registration expires. This is the single most important field for monitoring purposes.
- Updated Date: When the record was last modified. A recent change to a domain you did not initiate could indicate an unauthorised transfer or compromise.
- Registrar: The company through which the domain is registered. If this changes unexpectedly, the domain may have been transferred without your knowledge.
- Name Servers: The DNS servers authoritative for the domain. A change here can redirect all traffic, email, and services to an attacker-controlled infrastructure.
- Domain Status (EPP codes): A set of standardised codes that indicate whether the domain is locked, pending transfer, or in a hold state. These are covered in detail in the next section.
Since the introduction of GDPR in 2018, many registrars redact personal information from public WHOIS records. You will often see “REDACTED FOR PRIVACY” in the registrant name, email, and address fields. This makes it harder to identify the owner of a domain, but the technical fields (expiry date, name servers, EPP status) remain visible. Use our WHOIS Lookup tool to query these records instantly for any domain.
EPP status codes explained
Extensible Provisioning Protocol (EPP) status codes appear in every WHOIS and RDAP record. They tell you exactly what operations are permitted or blocked on a domain. Understanding these codes is critical for verifying that your domains are properly locked and protected against unauthorised changes.
| EPP Status Code | Set By | Meaning |
|---|---|---|
| clientTransferProhibited | Registrar | Prevents the domain from being transferred to another registrar without explicit authorisation. |
| clientDeleteProhibited | Registrar | Prevents the registrar from deleting the domain, even if requested through normal channels. |
| clientUpdateProhibited | Registrar | Blocks changes to the domain's DNS settings, contact details, and other registration data. |
| serverTransferProhibited | Registry | Registry-level transfer lock. Cannot be removed by the registrar; requires direct registry intervention. |
| serverHold | Registry | The domain is not included in the zone file, so it will not resolve. Often applied during disputes or compliance issues. |
| clientHold | Registrar | Similar to serverHold, but applied by the registrar. Common when payment has lapsed or the domain is suspended. |
| redemptionPeriod | Registry | The domain has been deleted and is in the 30-day redemption window. Recovery is possible at a premium cost. |
| pendingDelete | Registry | The domain is scheduled for release. No recovery is possible during this five-day phase. |
A healthy, well-protected domain should show at least clientTransferProhibited in its EPP status. For high-value domains, you should also see clientDeleteProhibited and clientUpdateProhibited. Check your domains now with our WHOIS Lookup to verify these codes are present.
How attackers exploit expired domains
An expired domain is not just an inconvenience. It is an opportunity for attackers. Here are the most common exploitation techniques:
- Re-registration and phishing: An attacker registers the expired domain and sets up a convincing clone of the original website. Customers, partners, and suppliers who still have the old domain bookmarked or in their address books may visit the site and enter credentials or sensitive data.
- Email hijacking: By re-registering the domain and configuring MX records, an attacker can receive all email sent to the expired domain. This includes password reset emails, invoice notifications, and internal correspondence that people continue to send to the old address. If the domain previously had SPF and DKIM records, the attacker can even send authenticated emails that appear to come from the original organisation.
- SEO hijacking: Expired domains often retain their backlink profile. Search engines may still trust the domain based on its historical link authority. Attackers exploit this by hosting spam or malware on the re-registered domain, benefiting from the inherited search rankings.
- Subdomain takeover: If your primary domain has CNAME records pointing to services hosted on a domain that expires, an attacker who registers that expired domain gains control of your subdomains. This is particularly common with SaaS platforms and CDN providers.
Use the Brand Protection Checker to scan for lookalike domains that may be impersonating your brand, and the Security Grade Check to assess your overall domain security posture.
Domain locking and transfer protection
Domain locking is the most effective defence against unauthorised transfers. When a domain is locked, the registrar will reject any transfer request until the lock is explicitly removed by the domain owner. There are two levels of locking:
- Registrar lock (client-level):This is the standard lock available through your registrar's control panel. It sets the clientTransferProhibited EPP status and is sufficient for most domains. Every domain you own should have this enabled by default.
- Registry lock (server-level): A premium service offered by some registries and registrars for high-value domains. It sets serverTransferProhibited, serverDeleteProhibited, and serverUpdateProhibited at the registry level, requiring manual verification (often a phone call or in-person confirmation) before any changes can be made. This is strongly recommended for primary brand domains.
In addition to locking, ensure that your registrar account itself is secured with strong, unique credentials and two-factor authentication. The registrar account is the single point of failure for all domains it controls. A compromised registrar account can unlock, transfer, or delete every domain in the portfolio.
Best practices for domain registration security
Protecting your domain registrations requires a combination of technical controls and operational discipline. The following practices apply to organisations of all sizes:
- Enable auto-renewal: This is the single most effective way to prevent accidental expiry. Ensure that the payment method on file is current and that you receive confirmation emails when renewals are processed.
- Register for multiple years: Registering a domain for three to ten years reduces the frequency of renewal events and the risk of a lapsed payment causing an accidental expiry. It also signals domain longevity to search engines.
- Lock all domains: Enable registrar lock (clientTransferProhibited) on every domain you own. For primary brand domains, consider registry lock as well.
- Monitor expiry dates proactively: Do not rely solely on registrar renewal emails. These can end up in spam folders or be sent to an email address that is no longer monitored. Use an independent monitoring tool such as our Domain Renewal Checker to track all your domains in one place.
- Use dedicated admin contacts:Avoid using a single person's personal email as the registrant or admin contact. Use a shared mailbox (for example,
[email protected]) that multiple team members can access. This prevents domains from becoming orphaned when staff leave the organisation. - Secure your registrar account: Enable two-factor authentication, use a strong and unique password, and restrict access to authorised personnel only. Review account access logs regularly.
- Maintain a domain inventory: Keep a central register of every domain your organisation owns, including parked domains, redirects, and legacy domains. Our guide to redirecting parked domains explains how to manage these securely.
- Register defensive domains: Consider registering common misspellings, alternative TLDs, and variations of your primary brand name to prevent them from being used in phishing campaigns. Our Brand Protection Checker can help identify which lookalike domains are already registered.
How to monitor your domains
Effective domain monitoring goes beyond simply checking the expiry date. A comprehensive monitoring approach should cover:
- Expiry and renewal status: Check when each domain is due for renewal and whether auto-renewal is active. Our Domain Renewal Checker retrieves this information directly from RDAP and WHOIS data.
- WHOIS record changes: Monitor for unexpected changes to registrar, name servers, or EPP status codes. A sudden change could indicate an unauthorised transfer or a compromise. Use our WHOIS Lookup to inspect the current state of any domain.
- SSL certificate expiry: Your SSL certificates and domain registrations are independent systems with separate expiry dates. Monitor both. Our SSL monitoring guide covers what to check and how often.
- DNS configuration health: Ensure that your DNS records (MX, SPF, DKIM, DMARC) remain correctly configured after any domain or registrar changes. Run a Security Grade Check to analyse your DNS, email authentication, and SSL posture in a single scan.
- Lookalike and impersonation domains: Attackers often register domains that closely resemble yours to target your customers and staff. Continuous monitoring for newly registered lookalike domains is a critical part of brand protection.
If you are migrating from a government-provided monitoring service, our guide on the NCSC Mail Check retirement explains what has changed and how to replace the functionality that was lost.
Next steps
Domain registration security is not a one-time task. It requires ongoing vigilance, regular audits, and proactive monitoring. Start by running the following checks on every domain your organisation owns:
- Check your expiry dates with the Domain Renewal Checker.
- Verify your EPP status codes and registrar details with the WHOIS Lookup.
- Run a Security Grade Check to assess your DNS, email authentication, and SSL posture.
- Scan for lookalike domains with the Brand Protection Checker.
- Enable registrar lock and two-factor authentication on your registrar account.
Protect your domains before they lapse
Use our free Domain Renewal Checker and WHOIS Lookup to check your registration status, expiry dates, and EPP codes instantly. No signup required.
Need continuous monitoring across all your domains? Create a free ShieldMarc account to get daily domain health checks, SSL expiry alerts, DMARC reporting, and brand protection in a single dashboard.