Expired Domain Risks: What Happens When a Domain Lapses

## What Happens When a Domain Expires? Every domain name has a registration period — typically one to ten years. When that period ends and the registration is not renewed, the domain enters a series of grace and redemption periods defined by ICANN policy before eventually being released back into the public pool of available registrations. For the domain owner, expiry is a crisis waiting to happen. For attackers, monitoring services, and domain investors, an expiring domain is an opportunity. ## The Expiry Timeline The exact timeline varies by TLD and Domain Registrar, but the general sequence for generic TLDs (`.com`, `.net`, `.org`) is: 1. **Expiry date**: The registration lapses. The domain may still resolve for a short period as some registrars provide a grace window. 2. **Auto-renew grace period (0–45 days)**: The registrar may still hold the domain and allow renewal, sometimes at standard price, sometimes with a renewal fee. 3. **Redemption grace period (30 days)**: The domain is placed in a `pendingDelete` / `pendingRestore` status. The owner can still recover it, but typically at a significantly higher fee ($100–$300+). 4. **Pending delete (5 days)**: The domain is queued for deletion. Recovery is no longer possible through normal means. 5. **Drop**: The domain is released and becomes available for general registration. The gap between your expiry date and the final drop can be as short as 75 days — less than three months from forgotten renewal to anyone being able to register your domain. ## Who Catches Dropped Domains? Domain drop-catching services monitor the deletion queue and attempt to register valuable domains the moment they become available. These services compete with millisecond-precision automated registrations. A domain with traffic, backlinks, or brand recognition will be caught almost immediately upon release. Common actors: - **Domain investors / flippers**: Resell the domain for profit. - **Cybersquatters**: Hold the domain to sell back to the original owner at an inflated price. - **Attackers**: Exploit the domain's existing trust — search engine rankings, backlinks, email infrastructure — to conduct phishing or malware distribution. - **Competitors**: Acquire your domain to capture your traffic. ## Security Risks of an Expired Domain The risks extend far beyond losing a website address. **Email interception**: If your domain previously hosted email (or still does for other users / services), an attacker who registers the expired domain can receive email sent to any address at that domain. Password reset emails, account confirmation links, and internal communications may all arrive in their inbox. **SEO reputation hijacking**: A domain with years of legitimate backlinks and search engine trust is valuable. Attackers can use this to boost phishing sites or serve malware with an established-looking domain. **OAuth and authentication abuse**: Many services use email addresses as account identifiers. If an attacker registers your expired domain and sets up email, they can use "forgot password" flows on services where your team had accounts at that domain. **Credential theft**: Former employees, contractors, or customers may have saved passwords using your old domain as the username. A look-alike or re-registered site may attempt to phish those users. **Subdomain takeover**: If your expired domain had DNS records pointing to cloud services (S3, GitHub Pages, Heroku, etc.) and those services were not cleaned up, an attacker who registers the domain can take over those subdomains. ## Prevention: Auto-Renew and Monitoring The core defence is straightforward: never let important domains expire. **Enable auto-renew** at your registrar for every domain you intend to keep. Auto-renew uses the payment method on file to renew the domain before expiry, without requiring manual action. **Verify your payment method is current.** An expired credit card is the silent killer of auto-renew. Set a calendar reminder to update payment details at your registrar before your card expires. **Register for the maximum available period.** Many registrars allow up to 10 years of advance registration for gTLDs. Longer registration periods mean fewer renewal events and less opportunity for renewal to be missed. **Set independent expiry reminders.** Do not rely solely on registrar email notifications — they may land in a spam folder or go to a former employee's address. Add domain expiry dates to a shared calendar and set reminders at 90 days and 30 days out. **Keep your registrant contact email current.** Your registrar sends renewal notices to the email on your domain's registration record. If that email address is defunct, you will not receive warnings. ## What to Do If Your Domain Has Expired If your domain has just expired (within the auto-renew grace period), log in to your registrar immediately and renew. The standard renewal price applies. If it has entered the redemption grace period, contact your registrar. Recovery is possible but typically costs $100–$300+ in restoration fees on top of the renewal charge. If the domain has already been registered by a third party, your options are: - **Purchase it back** from the new registrant (can be expensive or impossible if they are squatting). - **File a UDRP complaint** if the domain contains your trademark and was registered in bad faith. - **Court action** under national trademark or cybersquatting law in egregious cases. Recovery is far more expensive and uncertain than prevention. Enable auto-renew today and confirm it annually as part of Domain Security Checklist.