Domain Expiration

TLDR

  • Expired domains are not guaranteed a grace period.
  • Domain expiration is a multistep process.
  • It may be risky to let a domain that’s been used for business expire.
  • Domains may be sold or auctioned during the auto-renew grace period (aka autoRenewPeriod), which is step 1 of the expiration lifecycle.
  • The ERRP (Expired Registration Recovery Policy) does almost nothing to protect registrants from accidental domain expiration.

Overview

This page describes the domain expiration process. It is important to understand this process because it is not as forgiving as many registrants assume, and accidentally letting a domain expire can result in its permanent loss.

No Grace

Contrary to popular belief, and antithetical to the grace periods described in ICANN’s policies, expired domains are not guaranteed a grace period after expiration unless it is defined in the domain registrar’s policy. The following excerpt is directly from ICANN’s website.

5 Things About ICANN’s ERRP

If the Registrar does not immediately delete the domain name upon expiration, it may offer an Auto Renew Grace Period, a 1-45-day period during which you may renew an expired domain name. This may come at a fee so be sure to read your Registrar’s Terms of Service carefully to see if this Period is offered, for how many days, and any fees that might be associated with it. You should be aware that during the auto-renew period, the domain name may be available to third parties for registration, depending on your registrar’s terms of service. You may also run the risk of having your domain name auctioned to a third party by your registrar during this period (depending on your terms of service) – yet another reason to be sure you understand your terms of service and always renew your domain name well before it expires.

Source, Archived Source

Expiration Lifecycle

Domains, specifically gTLDs, have a defined lifecycle. This is shown on ICANN’s website (archived), but it does not do a good job of highlighting the risk to registrants during the auto-renew grace period, which is the most important part of a domain’s expiration lifecycle since it occurs immediately and automatically after expiration.

It is important to understand that registrars can short circuit policies that registrants may assume are in place to protect domains from accidental expiration. Below is an alternate image that tries to do a better job of showing why registrants should never let a domain expire.

An image of the domain expiration lifecycle.

Risks of Non-Renewal

Letting a domain expire, especially one that has been actively used, creates risks. Once a domain is dropped and becomes available for registration again, it can be registered by anyone, including bad actors.

A malicious actor could register an expired domain to:

  • Impersonate a brand: A bad actor could put up a copy of an old website to trick visitors.
  • Phish customers and employees: By controlling the domain, a bad actor can send emails from what appears to be a trusted source, potentially tricking customers or employees into revealing sensitive information.
  • Damage a reputation: The domain could be used for illicit purposes, associating a brand with negative activities.

Because of these risks, many registrants feel compelled to renew their domains indefinitely, even if they are no longer in active use.

Auto-Renew Grace

The autoRenewPeriod status of a domain is described in RFC3915.

RFC3915

autoRenewPeriod: This grace period is provided after a domain name registration period expires and is extended (renewed) automatically by the registry. If the domain name is deleted by the registrar during this period, the registry provides a credit to the registrar for the cost of the renewal.

Source, Archived Source

Registrars’ obligations during this period are defined in ICANN’s Registrar Accreditation Agreement (RAA).

Section 3.7.5 of ICANN’s RAA

At the conclusion of the registration period, failure by or on behalf of the Registered Name Holder to consent that the registration be renewed within the time specified in a second notice or reminder shall, in the absence of extenuating circumstances, result in cancellation of the registration by the end of the auto-renew grace period (although Registrar may choose to cancel the name earlier).

Source, Archived Source

Notably, the agreement does not define what happens to a domain during the auto-renew grace period.

Section 3.7.5.4 of ICANN’s RAA

Registrar shall provide notice to each new registrant describing the details of their deletion and auto-renewal policy including the expected time at which a non-renewed domain name would be deleted relative to the domain’s expiration date, or a date range not to exceed ten (10) days in length. If a registrar makes any material changes to its deletion policy during the period of the registration agreement, it must make at least the same effort to inform the registrant of the changes as it would to inform the registrant of other material changes to the registration agreement (as defined in clause 3.7.7 of the registrars accreditation agreement).

Source, Archived Source

This allows registrars to define any policy they want. That can include selling or auctioning a domain during the auto-renew grace period. This is clarified by ICANN in a list of 5 important things that every registrant should know about domain expiration. The emphasis of the quote below has been changed to highlight the part that registrants need to be aware of.

The ERRP

The Expired Registration Recovery Policy (ERRP) is the ICANN process that must be followed when a domain expires. This process sounds helpful, but, in practice, does very little to protect registrants that accidentally allow domains to expire. In addition to being nullified by the auto-renew grace period described above, the ERRP is filled with soft language that negates many of the rules that might help registrants.

Section 2.2.1 of ICANN’s ERRP

Subject to applicable consensus policies and provisions of the Registrar Accreditation Agreement (“RAA”), registrars may delete registrations at any time after they expire.

Source, Archived Source

Notably, registrars are not required, but may delete a domain. The ERRP only applies once a domain is deleted, so, as described above, registrars may keep the domain in auto-renew grace for up to 45 days as long as they have stated they intend to do so in a policy that is provided to registrants.

Other measures that would help registrants discover the expiration of a domain, such as removal from the DNS zone which would cause a website or email to quit working, is required and then weakened in the same sentence.

Section 2.2.2 of ICANN’s ERRP

For registrations deleted within eight days of expiration: The existing DNS resolution path specified by the RAE must be interrupted by the registrar from expiration of the registration until its deletion, to the extent the applicable registry permits such interruptions.

Source, Archived Source

It starts with strong language, but immediately gives an out. The only thing needed to ignore the requirement is for the registry to forbid the registrar from interrupting the RAE’s specified DNS resolution path. The use of the word must makes it sound like a requirement, but the registry can nullify it by stating they do not permit the action.