Skip to main content
Reference Brand protection

Domain Health Monitoring: The Checks Attackers Count On You Ignoring

A lapsed registration, an expired certificate, a blocklist listing, missing DNSSEC, a dangling subdomain. None of these make headlines, and all of them are openings an attacker is happy you never check.

Watch

The domain checks attackers count on you ignoring: registration and SSL expiry, blocklists, DNSSEC and security headers, and subdomain takeover.

June 11, 2026 · 7 min read

TL;DR

  • 1 Domain hygiene is a set of unglamorous checks: registration and certificate expiry, DNS blocklist listings, DNSSEC, security headers, and subdomain takeover risk.
  • 2 Each one is an opening attackers rely on you ignoring: a lapsed domain can be re-registered, an expired cert breaks trust, a blocklist listing kills deliverability.
  • 3 The defense is continuous monitoring that alerts you before expiry, before a listing spreads, and before a dangling record is claimed.

What it does

Domain health monitoring is the ongoing check of the unglamorous things that keep a domain trustworthy: that the registration is paid up, the TLS certificate is valid, the domain is not sitting on a DNS blocklist, DNSSEC is in place, the right security headers are present, and no subdomain is one dangling DNS record away from being taken over. None of these are exciting. All of them are doors an attacker is glad you forgot to lock.

The reason they get ignored is that they fail quietly. A registration lapses on a date nobody is watching. A certificate expires on a Saturday. A shared IP picks up a blocklist listing because of someone else's spam. DNSSEC was never turned on, so nobody gets an alert that it is off. Each of these is invisible until the day it produces a visible failure, by which point the cost is already being paid.

Run as a daily check, domain hygiene catches each of these on the way up rather than after the fall. Registration and certificate expiry are read from authoritative sources and watched against escalating thresholds so a renewal warning fires weeks ahead, not the morning the domain goes dark. The result is a small set of boring checks that, monitored, close the openings attackers count on staying open.

How it works

  1. 1

    <strong>Domain registration expiry.</strong> The registration record is read via RDAP (with a WHOIS fallback) to find the expiration date. Remaining days are mapped into escalating alert bands at 30, 14, and 7 days out, and an already-expired domain is treated as the most critical band so the warning still fires. The bands are designed to catch up: a domain added when it is already inside a threshold still alerts immediately rather than waiting for an exact-day crossing it already missed.

  2. 2

    <strong>TLS certificate expiry.</strong> Certificates are pulled from Certificate Transparency logs for the domain and its subdomains, deduplicated, and the freshest per name is kept. The apex certificate gets the same banded, self-healing expiry alerts as the registration, and an alert names the certificate and its issuer so you know exactly which one is about to lapse.

  3. 3

    <strong>DNS blocklist (DNSBL) listings.</strong> A domain or its sending IP appearing on a DNS blocklist is a deliverability emergency, often caused by abuse you did not commit (a shared IP, a compromised neighbor). Surfacing a listing early is what lets you start delisting before the damage to your mail reputation compounds.

  4. 4

    <strong>DNSSEC, security headers, and SPF lookup count.</strong> Whether DNSSEC is enabled (and the chain of trust is intact) is a check on its own, because an unsigned zone is open to DNS tampering. Security headers are inspected for the protections a browser relies on. The SPF record's DNS-lookup count is watched against the RFC 7208 cap of 10: a warning fires at 9 lookups and a critical alert at 11, where the record tips into PermError and receivers silently reject your authentication.

  5. 5

    <strong>Subdomain takeover risk.</strong> Each monitored subdomain's CNAME chain is resolved and matched against fingerprinted third-party providers, then the live page is probed for the provider's unclaimed-resource signal. A dangling record aimed at a deprovisioned service is flagged before an attacker can claim the slot and serve content from your name.

Common pitfalls

  • <strong>Treating expiry as a calendar problem you'll remember.</strong> Registration and certificate dates are exactly the things that slip when the person who set them up leaves or the renewal email goes to an unwatched inbox. Banded alerts that escalate as the date approaches exist because human memory does not.

  • <strong>Assuming a blocklist listing is someone else's fault and so not your problem.</strong> It often is someone else's fault, on a shared IP, and it is still your mail that stops being delivered. The fault does not change who pays for it.

  • <strong>Skipping DNSSEC because "nobody attacks DNS."</strong> An unsigned zone is the precondition for DNS tampering and cache poisoning. The absence of a recent incident is not evidence the door is locked; it is just evidence nobody has tried it yet.

  • <strong>Checking once and assuming it stays healthy.</strong> Certificates rotate, registrations renew and re-expire, IPs get listed and delisted, and new subdomains appear. A one-time health check is a snapshot of a moving target. The value is in running it continuously.