Domain Health Check

    The renewal notice is the only part of domain health that reminds you. This audit covers the parts that stay silent.

    A useful domain health check covers five areas: ownership and access, renewal and payment risk, DNS and security configuration, public visibility, and business context. A domain can be technically active while still being unhealthy because nobody knows why it is owned, what it costs, or what should happen next.

    The five health dimensions

    Here is the uncomfortable structure of domain health: of everything that can go wrong with a domain, exactly one thing sends you a warning. Registrars are required by ICANN's Expired Registration Recovery Policy to send renewal reminders before a domain expires, roughly one month and one week out. Nothing comparable exists for the rest. No one emails you when a certificate quietly fails to renew, when a warning list flags your name, or when the login that controls the domain stops being one you can reach. Those run silent until you look.

    A health check is the act of looking. Not a crisis response, a baseline: five dimensions, checked deliberately, so you know where every domain stands instead of assuming it.

    DimensionWhat healthy looks like
    Ownership and accessEvery registrar account reachable, secured, and documented; the contact email current and read.
    Renewal and paymentExpiration dates known, payment methods valid, and every upcoming renewal backed by a decision.
    DNS, SSL, and securityRecords match intent, certificates are valid, mail authentication exists, and no warning list has flagged the name.
    Visibility and reachabilitySomeone who looks the domain up finds something real: a page that resolves, says what the name is about, and offers a path to the owner. Or the domain is dark on purpose, as a recorded decision.
    Purpose, fit, and next actionA written reason for owning the name, and a next action with a date.

    One distinction runs through the whole audit, and the scoring rubric below makes it explicit: some of these checks a tool can verify from the outside, and some only the owner can answer. A lookup can tell you the certificate is valid. It cannot tell you why you own the domain. Both kinds count.

    Dimension one: ownership and access

    The first dimension is the least technical and the most dangerous to skip, because losing it can mean losing the domain itself. The question is simple: do you actually control this name, today, provably?

    • Log in. Not "I have a login," but log in now, to every registrar account that holds a domain you care about. Account recovery is a project best started years before you need it.
    • Check the contact email. Renewal reminders, failed-payment alerts, verification requests, and transfer challenges all go to the registrant email. If it points at an inbox you retired, someone else is reading your domain's mail, or no one is.
    • Turn on two-factor authentication. Most registrar account takeovers are attacks on credentials, not on the registrar. One setting removes most of that surface.
    • Confirm the transfer lock. For domains you are keeping, the lock should be on. It is the seatbelt of this dimension: trivial to set, and only ever missed once.
    • Document who controls what. If the answer to "which account holds this domain?" lives in one person's head, that head is a single point of failure. Write it into the inventory.

    What a tool can verify here is thin: registration data and lock status are publicly visible. Everything that actually protects you, working logins, a read inbox, documented custody, is an owner answer. That ratio is why this dimension carries the highest weight in the rubric and still gets skipped: nothing about it looks broken until the day it is.

    Dimension two: renewal and payment

    The renewal dimension is the one with reminders, and it still fails, because the reminders assume a working chain: a current card, a read inbox, an account someone checks. The audit questions target the links in that chain:

    • When does each domain actually expire, and does your inventory agree with what the registrar shows?
    • Is auto-renew set the way you decided, on for keepers, off only as a written choice?
    • Is the payment method valid, and will it still be valid at the next renewal? A reissued card fails silently.
    • Do any domains carry premium renewal prices that deserve a real decision instead of an automatic charge?
    • Does every renewal in the next 90 days have a keep-or-drop decision written down?

    A tool can see the expiration date. Whether the renewal will actually succeed, and whether it should, is yours to answer. The full control system, 90-60-30 reminders, payment failure controls, and decision deadlines, is the guide on domain renewal management; this audit checks that the system exists and is being run.

    Dimension three: DNS, SSL, and security

    The third dimension is the most tool-checkable, which is good news: most of it can be verified from the outside in minutes.

    DNS records. Look at the records for each domain and ask one question: did I set these? A records and MX records you do not recognize are a serious signal; if you see them, lock the domain, change the account password, and contact the registrar. For any domain that sends mail, confirm SPF and DMARC records exist, because without them the name is easier to impersonate. And for domains pointed at third-party services, confirm those destinations are still yours; records aimed at services you cancelled are loose ends someone else can pick up.

    Certificates. Visit the domain and read the browser's verdict, then run it through SSL Labs' Server Test for the full picture: validity, expiration, and configuration. Let's Encrypt, which issues a large share of the web's certificates, states that its default certificates are valid for 90 days, and renewal is normally automated. Automated is not guaranteed: renewal jobs fail quietly after DNS or hosting changes, and a certificate issued for www will not cover the bare domain unless it was set up to. Verify, do not assume.

    Warning and blocklists. This is the check almost nobody runs, because no symptom appears on your side. A domain can sit on an email blocklist while your messages silently vanish, or carry a browser warning that turns every visitor away, and your own experience of the domain stays normal. Two lookups cover the ground: MXToolbox's blacklist check for mail reputation, and Google's Safe Browsing site status for browser warnings. A listing does not always mean you did something wrong; shared hosting, a compromised plugin, or a previous owner's history can put a clean domain on a list. It does always mean act now: remove whatever triggered it, then follow that list's own removal process.

    One special case deserves its own line: if you acquired a domain rather than registering it fresh, run all of these checks before attaching anything you care about to it. Reputation transfers with the name, including the parts the seller did not mention.

    Dimension four: visibility and reachability

    The fourth dimension asks the plainest question in the audit: when a person or a system looks this domain up, do they find something real?

    Something real means four things. The name resolves. It serves an actual page over a valid certificate, not an error and not a bare parking placeholder. The page says what the domain is about, even in a sentence. And there is a path to the owner, so an interested person can do something other than leave. That is the whole standard. It is deliberately modest, and most dark domains fail all four.

    Why treat this as health rather than marketing? Because absence is a state, not a neutral default. A domain that shows nothing answers every question about itself with silence: the person who wanted exactly that name learns nothing and moves on, and the owner never knows anyone came. If the idea behind the domain still matters to you, silence is the one answer that serves nobody.

    To check it, do what a stranger would: type the domain into a browser and look at what comes back. Dark is an acceptable audit result, but only as a decision, "this name stays dark on purpose, decided on this date," not as a default nobody chose. What to do with the names that should not stay dark is the keep, build, sell, or drop framework in the guide on what to do with unused domains.

    Dimension five: purpose, fit, and next action

    The last dimension has no tool at all, and it is where the audit's definition of health earns its keep. A domain can pass every technical check, renewed, secured, resolving, certificate green, and still be unhealthy, because nobody can say why it is owned, what it costs to keep, or what should happen to it next. Three questions per domain:

    1. Purpose: why does this name exist in your portfolio? One written sentence. "I do not remember" is a finding, and a common one.
    2. Fit: does that reason still hold, and does the name still serve anything you run or plan to? A purpose from 2019 is not automatically a purpose today.
    3. Next action: keep for the written reason, launch, redirect, sell, or release, with a date. Five words; every domain gets one.

    This is also where the audit connects back to money. A domain with no purpose and no next action does not show up as broken anywhere, it just quietly renews, year after year, which is the most expensive kind of healthy-looking.

    The scoring rubric: 100 points, transparent weights

    To turn the audit into a number you can track, score each domain out of 100 using the weights below. Two portfolio-level rows, inventory completeness and next-action clarity, join the five dimensions, because a perfectly configured domain in an incomplete inventory is still a risk. Award each row's points in proportion to how much of it is true; be stingy, the score is only useful if it is honest.

    DimensionPointsWhat a tool can verifyWhat only the owner can answer
    Ownership and access20Whether the domain's public registration data is intact and the name is locked against transfer.Whether you can actually log in to every registrar account, the contact email is one you read, two-factor is on, and credentials are documented beyond one person's head.
    Renewal and payment risk20The expiration date, and how close it is.Whether auto-renew reflects a real decision, the payment card is current, and a keep-or-drop call exists before the next charge.
    DNS, SSL, and technical health15Whether DNS resolves, the certificate is valid and current, mail authentication records exist, and the domain sits on any public warning or blocklist.Whether the records that exist are the ones you intended, and whether anything unrecognized points at services you never set up.
    Inventory and cost completeness15Nothing. A tool cannot know which domains you forgot to list.Whether every domain you own appears in one inventory with its registrar, dates, and true renewal cost, and whether the annual total is a number you know.
    Purpose and business context15Nothing. Purpose is not machine-checkable.Whether each domain has a recorded reason to exist and the context to make its next renewal an easy call.
    Public visibility and reachability10Whether the name resolves and serves a real page over a valid certificate rather than an error or a bare parking placeholder.Whether that page says what the domain is about and gives an interested person a way to reach you, and whether staying dark is a decision you made on purpose.
    Next-action clarity5Nothing. A next action is a commitment, not a record.Whether every domain has one of five words written next to it, keep, launch, redirect, sell, or release, with a date.
    Total100An operational maturity score: how well the domain is being managed. Never a valuation of the name.

    Notice the shape of the two right-hand columns. The tool-verifiable checks cluster in the technical middle of the table, and the highest-weighted rows lean hardest on owner answers. That is the honest structure of domain health: the parts that lose domains are mostly the parts no scanner can see.

    And once more, because the misread is so tempting: a 95 does not mean the domain is valuable, and a 40 does not mean it is worthless. The score measures stewardship. A generic name can score 100; a superb name can score 15. The 15 is still the one to fix first, because whatever the name is worth, unmanaged is how that worth gets lost.

    The portfolio-level report

    Scoring one domain tells you about that domain. Scoring all of them tells you about your practice. After the audit, four numbers make a useful portfolio report, and a spreadsheet with one row per domain produces every one of them:

    • The spread: the highest and lowest domain scores. A wide spread usually means attention follows fondness, favorite domains get managed, the rest drift.
    • The weakest dimension: the rubric row that lost the most points across all domains. That is your systemic gap, and fixing it once, at the account or process level, raises many scores at the same time.
    • The red flags: every domain that scored zero on ownership and access or on renewal and payment, regardless of its total. These are the loseable ones.
    • The undecided count: how many domains have no next action. This number is the portfolio's honesty meter, and watching it fall from one audit to the next is the clearest progress there is.

    Rerun the audit on a cadence, not once: the technical checks monthly to quarterly, since certificates and lists change on their own, and the full five dimensions annually, alongside the decision review in the domain management checklist. If the inventory the audit depends on does not exist yet, build it first with the guide on managing domains across multiple registrars, and see the wider practice in the domain portfolio management guide.

    Fix order: by severity, not by score

    When the audit surfaces problems, resist fixing them in score order. Fix them in severity order, by what each one can cost you while it waits:

    1. Access you do not control. A registrar account you cannot log in to, a contact email you cannot read, or DNS records you did not set. These can cost you the domain itself, and recovery gets harder with time. Start recovery today, and on any sign of compromise, lock the domain and contact the registrar's security team.
    2. Renewals at risk. Anything expiring soon without a decision, and any payment method that is expired or about to be. The deadline does not wait for your next audit.
    3. Active warnings. Blocklist and Safe Browsing listings, and expired certificates. Every day these stand, mail disappears and visitors are turned away. Remediate the cause, then request removal.
    4. Quiet technical gaps. Missing SPF or DMARC, certificates expiring within the month, records pointing at dead services. Cheap to fix now, expensive to discover later.
    5. Visibility gaps. Domains dark by default rather than by decision. No deadline forces this one, which is exactly why it needs a date on the calendar.
    6. Missing context. Purposes and next actions not written down. Least urgent, most compounding: every other fix on this list is easier when someone can say what each domain is for.

    The renewal date is real; pay it. But it is the floor of domain health, not the whole of it. The domains that stay healthy are not the ones with the most careful renewal calendars. They are the ones someone actually looks at, five dimensions, on a rhythm, with a written answer to the only question that ties the whole audit together: what is this domain for?

    Limitations

    • The score on this page is an operational maturity score. It says how well a domain is being managed, never what the name is worth. It is not a valuation, an appraisal, or a prediction of one.
    • Technical checks describe a moment in time. Certificates expire, records change, and warning lists update continuously, which is why the audit has a cadence instead of a finish line.
    • The third-party lookup tools named here are working examples, not endorsements, and their capabilities are whatever their own live pages say today.
    • Registrar and registry rules vary. Reminder-notice requirements, grace windows, and recovery options differ by registrar and domain ending; confirm specifics with your own registrar.

    Sources

    1. 5 things every domain name registrant should know about ICANN's Expired Registration Recovery Policy (verified 2026-07-08) (ICANN)
    2. Let's Encrypt FAQ: certificate lifetime (verified 2026-07-08) (Let's Encrypt)
    3. Google Safe Browsing site status (verified 2026-07-08) (Google Transparency Report)
    4. SSL Server Test (verified 2026-07-08) (Qualys SSL Labs)
    5. Email blacklist check (verified 2026-07-08) (MXToolbox)
    6. How SiteWarming works (SiteWarming)

    Last reviewed:

    Related resources

    Put every domain's state in one view

    SiteWarming brings your whole portfolio into one asset dashboard across registrars, with an estimated value beside each name, and its renewals analysis gives every domain a keep-or-drop recommendation. Two of the five dimensions, watched for you.

    See what the dashboard includes