Domain expired: what to do and the renewal grace period
Practical timeline for an expired domain — what works in the grace period, what redemption costs, and when the domain becomes available to anyone.
Domain expired: what to do
If your domain has just expired you have, depending on the registrar and TLD, somewhere between zero and 75 days to recover it before someone else can register it. This article walks through the exact timeline, the cost of each recovery window, and what to do if the domain is already in someone else's hands.
The timeline you need to understand
Most generic TLDs (.com, .net, .org, .info, .io) follow a similar lifecycle once a registration lapses. Country-code TLDs vary — .uk, .co.uk, .de, and .eu each have their own quirks.
| Stage | Duration | What's possible |
|---|---|---|
| Active | until the expiration date | Renew at standard price. |
| Auto-renew grace | 0–45 days after expiry | Most registrars will still let you renew at standard price, sometimes with a small late fee. The website is offline; nameservers are usually still authoritative but DNS may have been parked. |
| Redemption period | starts when grace ends, lasts ~30 days | The domain is in redemptionPeriod status at the registry. Recovery is possible but expensive — typically $80–$200 in registry fees on top of normal renewal. The website stays offline through this window. |
| Pending delete | ~5 days at end of redemption | The domain cannot be recovered. It is queued for deletion. |
| Available | drop date | Anyone can register the domain. Drop-catchers and back-orderers compete for desirable domains in the first seconds after release. |
The exact dates depend on the registrar and TLD. ICANN documents the gTLD lifecycle but registrars implement the grace period differently — some give you the full 45 days, some give you 5. Check your registrar's specific policy.
Step 1 — Check what stage the domain is in right now
The fastest way to find out is the registry's WHOIS or RDAP record. Run this from a terminal:
whois example.com | grep -i "status\|expiry\|expiration"Or, if you prefer the JSON RDAP feed:
curl https://rdap.org/domain/example.com | jq '.events, .status'The status fields tell you everything. The ones that matter:
clientHold/serverHold— the domain is suspended at the registry. DNS does not resolve. Expired domains often go here first.clientTransferProhibited/serverTransferProhibited— normal protection state, not expiry-related.redemptionPeriod— you're in the expensive recovery window.pendingDelete— too late at this registrar; the domain is being released to the public.redemptionorRGP— same as redemption period, different vendor naming.
Match the status to the timeline table above. The path forward depends entirely on which stage you're in.
Step 2 — If you're still in the auto-renew grace period
This is the easy case. Sign in to the registrar, find the domain in your dashboard, and click "Renew". The price is the standard renewal fee plus, sometimes, a small late fee ($5–$20). After payment, the domain comes back online within minutes to a couple of hours, depending on how aggressively the registrar parked your DNS.
A few things to verify after recovery:
- Nameservers are still set correctly. Some registrars overwrite your custom nameservers with their parking nameservers when a domain expires. Check this even if the website starts loading — your MX records may be pointing at the wrong place silently.
- Auto-renew is now enabled. Don't trust that "I'll renew it next year" — fix the underlying cause now.
- Payment method on file is current. Most domain expirations happen because the credit card on file expired six months ago and renewal emails got filtered.
- Contact email is reachable. The renewal warning emails went to something. Whatever address that was needs to be one a human checks.
Step 3 — If you're in the redemption period
Recovery is still possible but you're paying registry penalty fees. Common costs:
.com/.netredemption: ~$80 in registry fees, on top of the renewal..org: similar..io,.app,.dev: $80–$150 depending on the registry operator.- Country-code TLDs vary widely; some have no redemption period at all.
Call your registrar (don't email — redemption requests often need a human). Ask explicitly to restore the domain from redemption. The process takes anywhere from same-day to 5 business days. The domain remains offline until the restore completes, so plan communication to your users.
If the domain is not critical and the redemption fee exceeds what re-registering somewhere else would cost (after pendingDelete expires), you have a real choice to make — see "If the domain is gone forever" below.
Step 4 — If you're in pendingDelete
Recovery from your registrar is no longer possible. The domain is being released to the registry's drop pool.
You have two options:
- Wait for the drop and re-register. This works for low-value domains. You set a calendar reminder for the drop date and try to register the moment it's released. Don't expect to win against drop-catchers if the domain has measurable traffic.
- Use a backorder service. Companies like SnapNames, Namejet, GoDaddy Auctions, and DropCatch.com participate in the registry's drop process and can grab a domain in the first second after release. Backorders cost $20–$80 if no one else also backordered the same domain, more in auction if they did. There is no guarantee — only one party wins each drop.
Many drop-caught domains end up at auction. If your domain is desirable enough to be backordered by multiple parties, expect prices in the high three to four figures.
Step 5 — If the domain is gone forever
Sometimes the domain is registered by someone else and won't come back. UDRP (Uniform Domain-Name Dispute-Resolution Policy) is the legal recourse, but it requires showing the new registrant has no legitimate interest and registered the domain in bad faith. UDRP filings cost $1,500–$5,000 and take 2–4 months. They succeed when the new registrant is squatting; they fail when the new registrant is using the domain for a real business unrelated to your trademark.
If UDRP is not viable, the practical options are:
- Buy it back from the new registrant. Often offered through the WHOIS contact (if that's still public) or via a domain-broker service. Prices for hijacked domains range from a few hundred dollars to six figures depending on the buyer's perception of your willingness to pay.
- Register a different name. Add a hyphen, change the TLD, append a word. Update every link from your old domain to the new one — backlinks, social profiles, email signatures, marketing collateral. Plan a 6–12-month communication campaign.
- Pursue trademark protection in your jurisdiction so future drops are more defensible.
How this happens
Expired domains are almost never a registrar failure. They're usually one of:
- Auto-renew failed because the credit card expired. Standard. The renewal warnings get sent, the user doesn't read them.
- The contact email is a person who left the company. Same problem as expired SSL certificates —
webmaster@orit@aliases that nobody actually monitors. - The registrar account has multiple owners and nobody knows whose problem this domain is. Common at agencies and consultancies — the original developer set up the domain on their personal account, billed it to the client, then left.
- A registrar account was compromised and the attacker disabled auto-renew before letting the domain expire to grab it. Rare but devastating; happens to high-value domains.
Set up domain-expiry monitoring (the part that prevents recurrence)
WHOIS / RDAP records expose the expiry date for every domain. DomainCare polls this on a 12-hour cadence and alerts you at 90 / 60 / 30 / 14 / 7 / 1 days out. The longest lead time is the one that matters — 90 days is enough notice to:
- Update the credit card on file.
- Confirm the contact email is monitored.
- Renew for 5+ years to avoid the issue showing up again soon.
- Migrate the registration to a different account if ownership is murky.
You can build your own monitoring with a script that runs whois and parses the expiry date, but the brittleness of whois output formatting (every TLD's response is structured differently) makes RDAP a better target. If you do roll your own, factor in rate limits — most registries throttle aggressively.
Related
- Domain expiry explained — the lifecycle in detail.
- Domain hijacking — how to prevent it — registrar-account hardening and registry locks.
- Registry check reference — what DomainCare's WHOIS / RDAP check verifies on every run.
whois_domain_expiring_soonalert — alert thresholds and how to silence during planned non-renewal.
Common questions
My domain shows "expired" in WHOIS but the website still loads. Some registrars give a brief grace where the website still works while the registration has technically lapsed. Don't trust this — renew now, before DNS is parked.
I missed the redemption window. Can a registrar pull the domain back from pendingDelete? Almost never. The deletion is at the registry level; the registrar can only request it within their own grace period. Once it hits pendingDelete, you're waiting for the drop.
Why does my registrar charge $200 to recover an expired domain when the renewal price is $12? The $200 figure is the registry's redemption fee, not the registrar's renewal price. Some registrars mark this up significantly — shop around if the bill seems extreme.
Is the contact-information block in WHOIS still mandatory? Public WHOIS contact data is no longer mandatory in the EU under GDPR and is being phased out elsewhere via ICANN's "registration data policy". Domain-expiry alerts that depended on parsing public WHOIS contacts are increasingly unreliable — switch to monitoring the registration expiry directly via RDAP, which is still publicly available.