Domain Portfolio Audit Checklist

If you manage more than five domains — whether for your own business, clients, or a mix of both — the risks of a lapsed domain, expired SSL certificate, or unexpected DNS change multiply with every domain you add. A single missed renewal notice brings down an entire client's web presence. A dangling CNAME on a forgotten subdomain becomes a security incident.

A quarterly domain portfolio audit catches these issues systematically rather than reactively.

Domain Inventory

List every domain in your portfolio — across all registrars, including regional variants (.com, .co.uk, .de), brand protection registrations, and domains used for redirects
Document which registrar holds each domain — if domains are spread across multiple registrars, record the login details securely
Identify domains with no current active use — decide whether to renew or let them lapse before the next renewal date, not after
Check for domains registered by former team members or previous agencies that may need transferring to your control

Domain Expiry

Export expiry dates for every domain and sort by expiry date ascending — your most urgent renewals are at the top
Flag any domain expiring within 90 days for immediate attention
Verify auto-renew is enabled on every domain you intend to keep. See why domain auto-renew fails for why auto-renew alone isn't sufficient
Confirm the payment card on file at each registrar is current — auto-renew fails silently if the card is expired or declined
Check the registrant email address for each domain is still active — renewal notices and transfer authorisation codes go there
Review domain expiry monitoring coverage — every active domain should have an expiry monitor with alerts at least 60 days out. See what is domain expiry monitoring

WHOIS Data

Verify registrant name and organisation are current for each domain — outdated registrant data can complicate transfers and dispute processes
Check admin and technical contact email addresses are still valid and monitored
Review nameserver records in WHOIS — confirm they match what you expect and haven't changed without your knowledge. See what is WHOIS monitoring
Check WHOIS privacy status — domains without WHOIS privacy expose registrant contact details publicly, which can attract spam and social engineering

Nameservers and DNS

Verify nameservers for each domain match your expected DNS provider (Cloudflare, Route 53, your registrar, etc.)
Flag any unexpected nameserver changes — an unauthorised NS change is a potential domain hijacking indicator. See how to monitor nameserver changes
Check nameserver monitoring is active for all domains — immediate alerts on NS record changes should be standard for any domain with live services
Review DNS records for each domain for the following:
- CNAME records pointing to decommissioned services (dangling CNAMEs — see what is a subdomain takeover)
- A records pointing to IP addresses that are no longer yours
- MX records that match your current email provider
- TXT records for services you no longer use (old SPF includes, abandoned verification records)
- Subdomains that have no current purpose

SSL Certificates

List SSL certificates for all active domains and subdomains — don't forget certificates on non-www subdomains, API subdomains, and portals
Check expiry dates — flag anything within 60 days for renewal
Verify certificate type matches requirements — single-domain, wildcard, or multi-domain (SAN). See wildcard vs SAN vs single-domain SSL
Confirm SSL monitoring covers every domain and subdomain with a live service — it's easy for a newly deployed subdomain to miss SSL monitoring setup
Check for Let's Encrypt certificates on client sites — auto-renewal can fail silently; verify recent renewals were successful. See Let's Encrypt renewal failed

Security Review

Check registrar lock status — all domains should have transfer lock enabled to prevent unauthorised transfers. See registrar lock vs transfer lock
Verify two-factor authentication is enabled on all registrar accounts
Review who has access to each registrar account — remove access for former team members
Check for unused subdomains that could be claimed by a third party if the CNAME target is freed

For Agencies: Client Domain Documentation

Confirm you have access to client domains in cases where clients hold their own registrar accounts — establish access before an emergency
Document whether client domains are client-managed or agency-managed — including who is responsible for renewals
Send a pre-renewal reminder to clients for domains expiring within 90 days where the client handles renewals

Automation

Manual quarterly audits catch problems but don't prevent them. Continuous domain expiry monitoring, WHOIS monitoring, and nameserver change alerts reduce what needs to be checked manually by alerting automatically when something changes.

Domain Monitor monitors all domains in your portfolio from a single dashboard. Create a free account.

What Is a Subdomain Takeover and How to Prevent It

A subdomain takeover lets an attacker claim your subdomain by exploiting dangling DNS records. Learn how it happens, real-world examples, and how DNS monitoring detects it.

What Is Mean Time to Detect (MTTD)?

Mean time to detect (MTTD) measures how long it takes to discover an incident after it starts. Reducing MTTD is one of the highest-leverage improvements in reliability engineering.

What Is Black Box Monitoring?

Black box monitoring tests your systems from the outside, the way users experience them — without access to internal code or infrastructure. Learn how it works and when to use it.

Subscribe to our PRO plan.

Looking to monitor your website and domains? Join our platform and start today.

View pricing & plans

Domain Monitoring

Uptime Monitoring

SSL Monitoring

WHOIS Lookup

Notifications

Status Pages

Ping test

Traceroute test

Find my website's IP

# website monitoring