Introduction
A domain expiring is not a binary event. Between the day the registration lapses and the moment the name becomes publicly available again, the domain passes through a defined sequence of states — each governed by ICANN policy, registrar rules, and registry-specific timelines. Each state has different technical implications: DNS may or may not still resolve, renewal may or may not still be possible, and the cost to recover the domain varies by several orders of magnitude depending on which phase you are in.
Understanding this lifecycle matters well beyond the domain's owner. Security teams need to know when a lapsed domain owned by an acquired company enters redemption — because an attacker could buy it and repurpose old email addresses or subdomains. Developers building applications with external domain dependencies need to detect instability early. Domain investors track the moment a name drops and becomes re-registrable. This article walks through the full expiry lifecycle and shows how to detect each stage programmatically using the WhoisJSON API.
The Domain Expiry Lifecycle
The following phases apply to gTLDs under ICANN policy (primarily .com, .net, .org, and new gTLDs). Country-code TLDs have their own rules — covered in the edge cases section.
| Phase | Timing | EPP Status | DNS Resolves | Renewal |
|---|---|---|---|---|
| Active | Before expiry date | ok | Yes | Normal price |
| Expiry Warning | 30–60 days before | ok | Yes | Normal price |
| Grace Period | 0–45 days post-expiry | autoRenewPeriod | Usually yes | Normal price |
| Redemption Period | ~45–75 days post-expiry | redemptionPeriod | No | ~$80–200 penalty |
| Pending Delete | ~75–80 days post-expiry | pendingDelete | No | Not possible |
| Dropped | ~80 days post-expiry | — | No | Available at standard price |
Active & Expiry Warning
While the domain is active, its EPP status is typically code ok | (possibly combined with client-side locks like code clientTransferProhibited | ). The registrar begins sending renewal reminder emails to the registrant typically 60, 30, and 7 days before the expiry date. Nothing changes technically during this phase — DNS continues to resolve, and the domain renews at the standard price.
Grace Period (0–45 days)
Verisign allows 45 days for .com/.net domains. During this period, the WHOIS record still shows the domain as registered and the EPP status transitions to autoRenewPeriod. Many registrars keep the domain's DNS active during this window, though this is not guaranteed — some suspend DNS resolution immediately at expiry. The domain is still fully renewable at the normal price with no penalty.
Redemption Period (~30 days)
Once the grace period ends, the registry places the domain in redemptionPeriod. DNS is suspended. The domain still appears in WHOIS but cannot be renewed through the normal registrar flow — recovery requires a Restore request, which costs $80–200 depending on the registrar, plus the standard renewal fee. This is the last window in which only the original registrant can reclaim the domain.
Pending Delete (5 days)
After redemption period, the domain enters pendingDelete. No renewal or restoration is possible. The registry counts down approximately 5 days before releasing the name. Domain drop-catchers submit simultaneous registration requests during this window to maximize the chance of catching the name the moment it is freed.
Dropped
The domain is deleted from the registry database and becomes available for standard registration. The total time from expiry to drop is approximately 75–80 days for .com — though individual registrar delays mean the exact drop time is unpredictable to the day.
Why It Matters Beyond the Owner
The lifecycle described above has concrete implications for people other than the registrant.
- Security teams. When a company is acquired or dissolves, old domains are frequently forgotten. If those domains had active email addresses or hosted subdomains pointing to internal services, an attacker who registers the dropped domain can receive email sent to those old addresses, spoof the domain, or exploit dangling DNS records. Tracking domains associated with acquired entities through their full expiry cycle — specifically watching for
redemptionPeriodandpendingDeletestatus transitions — is a concrete defensive measure. - Brand protection. Typosquatted domains targeting your brand name may cycle through expiry and get re-registered by different actors. Monitoring for EPP status changes on known typosquats lets you alert when they re-enter the market.
- Domain investors. The
pendingDeletestatus is the signal that a domain is 5 days from drop. Investors use this as the trigger to activate drop-catching infrastructure. - Developers. Applications that depend on third-party domains — payment gateways, CDN origins, OAuth providers — should detect when those domains enter grace or redemption period before DNS goes dark and the dependency fails.
How to Detect Expiry Status Programmatically
A WHOIS lookup via the WhoisJSON API returns two complementary signals for tracking expiry stage: the raw expires date, and the status array containing the domain's current EPP codes.
Key fields
expires— ISO 8601 date string of the registration expiry date. Always present when the registry exposes it.expiration.daysLeft— pre-computed integer, days until (or since, if negative) expiry. Present only whensourceis"rdap".expiration.isExpiringSoon— boolean, true when fewer than 30 days remain. RDAP only.expiration.isExpired— boolean, true when the expiry date is in the past. RDAP only.status— array of EPP status strings. Present regardless of source. Look for"autoRenewPeriod","redemptionPeriod", and"pendingDelete"to identify the post-expiry phases.
expiration object is only present when the API used RDAP for the query ( "source": "rdap"). For WHOIS-sourced responses, compute daysLeft manually from the expires string. The status array is always present when the registry returns EPP codes.Python: classify a domain's expiry stage
import requests
from datetime import datetime, timezone
API_KEY = "YOUR_API_KEY"
BASE_URL = "https://whoisjson.com/api/v1"
def get_whois(domain: str) -> dict:
resp = requests.get(
f"{BASE_URL}/whois",
params={"domain": domain},
headers={"Authorization": f"TOKEN={API_KEY}"},
timeout=10,
)
resp.raise_for_status()
return resp.json()
def classify_expiry(data: dict) -> str:
"""Return the expiry lifecycle stage for a domain."""
status = [s.lower() for s in (data.get("status") or [])]
if "pendingdelete" in status:
return "pending_delete"
if "redemptionperiod" in status:
return "redemption"
if "autorenewperiod" in status:
return "grace_period"
# Compute days left — use pre-computed field if available (RDAP),
# otherwise fall back to manual calculation from the expires date.
expiration = data.get("expiration") or {}
days_left = expiration.get("daysLeft")
if days_left is None:
expires_str = data.get("expires")
if expires_str:
expires = datetime.fromisoformat(expires_str).replace(tzinfo=timezone.utc)
days_left = (expires - datetime.now(timezone.utc)).days
if days_left is None:
return "unknown"
if days_left < 0:
return "expired_unknown_phase"
if days_left <= 30:
return "expiring_soon"
return "active"
if __name__ == "__main__":
domain = "example.com"
data = get_whois(domain)
stage = classify_expiry(data)
print(f"{domain}: {stage} (expires: {data.get('expires')}, status: {data.get('status')})")
The function checks EPP status codes first — they are the authoritative signal for post-expiry phases and are not subject to interpretation. The date-based fallback handles active and expiring-soon classification when the domain has not yet passed through the registry state machine.
How to Monitor Expiry at Scale
Polling a single domain on demand is one thing. Tracking a portfolio of dozens or hundreds of domains — and being notified before they enter a critical phase — requires a different approach.
Polling vs. webhook-based monitoring
A naive polling strategy queries each domain on a fixed schedule and compares the result to a stored baseline. This works but has two costs: it consumes API quota proportional to your portfolio size, and there is always a detection lag equal to your polling interval. For expiry, where the relevant changes happen on a day-by-day basis, daily polling is usually sufficient — but managing the scheduler, storage, and alerting logic is non-trivial.
WhoisJSON's built-in domain monitoring handles this automatically. You register the domains you want tracked in the dashboard, set a threshold (default: alert when fewer than 30 days remain), and configure a notification channel — email, in-app, or webhook. The service checks your domains continuously and fires an alert when the threshold is crossed, once per day at most.
Webhook payload for expiry alerts
When a domain hits the expiry warning threshold, your webhook endpoint receives a POST with the following payload:
{
"type": "expiration_warning",
"timestamp": "2026-04-15T09:23:11.432Z",
"domain": "example.com",
"daysRemaining": 28,
"expirationDate": "2026-05-13T00:00:00.000Z"
}You can use code daysRemaining | to route the alert to different channels (Slack for 30-day warnings, PagerDuty for 7-day, ticket creation for anything under 3 days) without any additional API calls.
Monitoring slots per plan
| Plan | Price | Monitored domains | Alert channels |
|---|---|---|---|
| Basic | $0 | 1 | Email, in-app, webhook |
| Pro | $10/mo | 5 | Email, in-app, webhook |
| Ultra | $30/mo | 20 | Email, in-app, webhook |
| Mega | $80+/mo | 50 | Email, in-app, webhook |
Edge Cases to Know
- ccTLDs have their own cycles. .uk domains, managed by Nominet, have no redemption period. A .uk domain is suspended at expiry and deleted after 92 days, with no late-recovery window. .eu and .fr have similar deviations from the ICANN gTLD timeline. If you are monitoring ccTLDs, check the registry's specific policy — do not assume the 45+30+5 structure applies.
autoRenewPerioddoes not mean the owner did anything. Some registrars enable auto-renewal by default and charge the customer's card silently at expiry. TheautoRenewPeriodstatus simply means the registry has auto-renewed the registration and is waiting for the registrar to confirm the charge — the domain is technically in grace, but may remain active indefinitely if the charge succeeds. Do not assume a domain inautoRenewPeriodis about to drop.- WHOIS privacy can suppress the expiry date. A small number of ccTLD registries and some privacy proxy services do not expose the
expiresfield at all. In these cases, the EPP status codes are your only programmatic signal. Thestatusarray is less affected by privacy redaction than contact fields. - WHOIS date formats are not standardized. Legacy WHOIS responses from different registrars use different date formats (
2026-08-13,13-Aug-2026,2026-08-13T00:00:00Z, and others). If you are parsing raw WHOIS text, you need a multi-format date parser. The WhoisJSON API normalizes all dates to ISO 8601 regardless of source — useexpiresdirectly without format handling. - RDAP returns more precise expiry data. When
sourceis"rdap", the pre-computedexpirationobject includesisExpiredanddaysLeft— you do not need to compute these yourself. For WHOIS-sourced responses, compute from theexpiresdate string as shown in the snippet above.
FAQ
How long is the grace period after a domain expires?
For .com and .net domains (Verisign registry), the grace period is up to 45 days. During this window, the domain is still in the original registrant's name and is renewable at the standard price with no penalty. Not all registrars make the full 45 days available — some transition to redemption earlier. After the grace period ends, the domain enters a 30-day redemption period where recovery costs $80–200 in addition to the renewal fee. The grace period for ccTLDs varies significantly by registry: .uk has no grace period in the ICANN sense, while others may offer 30 days or fewer.
Can I register a domain that is in redemption period?
No. During the redemption period, the domain is locked to its existing registrant. Only that registrant — through their registrar — can submit a Restore request to reclaim it, at the cost of the redemption fee plus the standard renewal price. A third party cannot register or backorder a domain in redemption. Registration by a new party only becomes possible after the domain passes through pending delete (~5 days) and is fully released by the registry. Domain drop-catching services queue up registration requests during the pending delete window to maximize the chance of catching the name the moment it is freed.
How do I get notified before a domain expires?
The most reliable approach is to combine API-based expiry date tracking with an automated alert. Using the WhoisJSON API, query /api/v1/whois for your domains, read the expires field (or expiration.daysLeft when source is RDAP), and trigger an alert when the threshold is crossed. For managed monitoring without custom code, the WhoisJSON domain monitoring feature handles this automatically — you set a threshold (default 30 days), configure your notification channel (email, webhook, or in-app), and the service sends daily alerts until the domain is renewed. One monitoring slot is included in the free plan.
Monitor domain expiry automatically
Set a threshold, configure your webhook or email, and get alerted before domains reach a critical phase. Included in all plans — one slot free.