Hold Your Domain

The Pattern

Phase 1: Marketing/Research. Every startup begins the same way. You need a domain, a landing page, maybe basic email and workspace. There's no technical person around yet, so you go to the nearest integration company or website builder.

They register your domain. They build a WordPress landing page. They attach Microsoft or Google services for mail and collaboration. They send invoices.

At this point, it's fine.

Phase 2: Building. Marketing goes well. Everyone's happy. Time to build something real.

Email goes to integration company: "Please delegate app.electronicdiapers.com to our Route53 nameservers." Of course it's done.

Meanwhile, the marketing guy runs around integration company to update the landing page — now it's the primary company website — with very important updates. Or sometimes integration company provides wp-admin access. Bills keep coming, website looks nice.

Development team knows nothing about electronicdiapers.com. The front door of their world is app.electronicdiapers.com. They have Terraform, spread across multiple zones or even multiple cloud providers. Or more often — everything in us-east-1 with a brave comment: "here we will put multiple zones when needed."

Two parallel worlds:

Apex domain and DNS root — somewhere in the fog at the integration company. Dev team doesn't even know which registrar holds the domain.

Phase 3: Time passes. One, two years go by. At this point, anyone who's been a fucking webmaster long enough can predict 20 scenarios of what can go wrong.

Here are just some.

What Can Go Wrong

Scenario 1: Integration company vanishes. One day emails start bouncing and website shows parking page. Integration company went bankrupt, pivoted, or simply ghosted. Domain is registered under their account, DNS is on their nameservers, and the only person who had credentials left the company two years ago. You don't even know which registrar to call.

Scenario 2: Integration company degrades. They didn't disappear — worse, they're still around. Response time went from hours to weeks, WordPress hasn't been updated in 18 months, and that "urgent landing page fix" is stuck in a queue behind someone's nephew who now manages 47 sites part-time. Your startup raised Series B, their biggest client is still a local dental clinic.

Scenario 3: Registrar from hell. Integration company picked a registrar based on price — hello GoDaddy, or worse, one of dozens that got ICANN accreditation revoked over the years. Rare, but when it happens: domains get frozen, transferred to random "gaining registrar" during wind-down, or simply vanish into bureaucratic limbo. Your $50M startup now depends on filing complaints with ICANN dispute resolution while competitors enjoy your SEO.

Scenario 4: The website is down. Your engineering team is world-class. Your DevOps runs multi-region Kubernetes with automated failover. Your datacenter survives direct Iranian missile strikes. Meanwhile, your company website — the thing customers actually see first — shares a $9/month Hetzner box with 10 other sites, and those HDDs have been begging for retirement since last year. Your CEO will never comprehend this boundary between "our infrastructure" and "that WordPress thing." Good luck explaining why electronicdiapers.com shows 503 while app.electronicdiapers.com has five nines.

Scenario 5: Domain expired, certificate rotted. The most embarrassing and most common failure. In many years, not a single startup escaped this hole. Everyone falls in at least once. Someone forgot to update the credit card, auto-renew failed silently, integration company's billing contact quit. If you're lucky, you'll notice the red padlock before customers do. If you're not, your domain enters redemption grace period while competitors screenshot your parking page. It's not the end of the world. But do you really want two days of downtime and a panicked Slack thread explaining why "electronicdiapers.com" shows GoDaddy ads?

Scenario 6: Abuse and/or hack. WordPress not updated for a year means guaranteed vulnerabilities — not "maybe," guaranteed. You think your core app has no connection with the marketing website? Think again. Even if you survive the reputational damage of a defaced homepage, the real nightmare is quieter: compromised site starts sending spam or bruteforcing others, domain lands on blacklists, and your precious app.electronicdiapers.com follows the apex straight to hell. Blacklisted everywhere, excluded from search engines, email stops delivering. Sometimes forever. Some blacklists don't forgive.

Scenario 7: Apex poisons the subdomain. No hackers needed — your own integration company can cripple you. Real story that inspired this article: someone enabled HSTS header on apex domain with includeSubDomains, preload, and 2-year expiry. Just following a "security best practices" checklist, probably. Congratulations — HTTP on app.electronicdiapers.com is now dead forever, browsers will refuse to connect, and HSTS preload lists are practically irreversible.

Scenario 8: Unfriendly fire. Are you sure your integration company never spies on you? If you answered yes — you've never worked with crypto startups. Someone configured your mailboxes, someone has admin access to that Google Workspace, someone can read password reset emails. All your carefully rotated AWS credentials, your hardware MFA tokens, your zero-trust architecture — meaningless when an underpaid contractor at integration company can simply request a password reset and read the link. The call is coming from inside the house.

Scenario 9: Greed kicks in. Relationship sours, integration company smells money. Starts small: bills creep up, "emergency" fees appear, simple DNS change suddenly requires a service contract. Gets worse: they realize the domain is registered under their name (or their employee's). You want to leave? Let's talk. You raised funding? Let's really talk. Worst case: actual lawsuit over domain ownership, and WHOIS says they're right. Your $10M company held hostage by a $50/year asset you never thought to verify.

Scenario 10: Death by misconfiguration. Not catastrophic, just expensive. Subdomain CNAMEs pointing to decommissioned Heroku apps — hello subdomain takeover. SPF record with 15 includes that nobody audited since 2019. DKIM key still using 512-bit RSA. DMARC on "none" forever, so you never know half your emails land in spam. CAA record blocking your own Let's Encrypt renewals. None of these kill you instantly, but combined they drain time, money, and sanity. Cost of fixing everything once: few hours. Cost of ignoring: perpetual firefighting, every month, forever.

Red Flags

Quick self-assessment. If any of these are true, stop reading and fix today:

• You don't know your registrar login
• Domain WHOIS shows integrator's name
• You've never seen the DNS zone file
• "That guy who left" set up email
• Last SSL cert was installed manually by someone
• You have domains you forgot existed
• You don't know when your domain expires

What To Do?

HOLD YOUR FUCKING POSSESSIONS WITH YOU

Checklist. Do it now:

Ownership. Domain registered in YOUR account. CEO, CTO, founder — a real human who won't disappear. Integration company and devs get granular access, not keys to the kingdom.

Security basics.

• Enable 2FA on registrar account. Hardware key, not SMS.
• Enable domain lock (also called registrar lock or clientTransferProhibited).
• Enable DNSSEC. Yes, it's 2026, just do it.
• Enable auto-renew. Then verify the credit card actually works.

Maintenance ritual.

• Assign one developer — your most paranoid one — to periodically review DNS records, domain expiry dates, billing status. Quarterly. Put it in the calendar.
• Review who has access to what. Remove ex-employees.

Monitoring.

• Set up expiry alerts (most registrars have this, or use external services)
• Certificate monitoring for SSL/TLS expiry
• Uptime monitoring for apex domain, not just app subdomain
• Alerts go to Slack/email you control, not to [email protected]

Asset inventory.

• Spreadsheet or Notion: every domain, every subdomain, who owns it, where registered, where hosted, when expires, who has access
• Sounds boring, saves lives

Email separation.

• Google Workspace / Microsoft 365 on YOUR account, not integrator's tenant
• You control password resets = you control everything

Renewal strategy. Renew every domain for maximum allowed term — 10 years for .com, less for some TLDs (.io caps at 5, .ai at 2). Yes, every single one. Including that joke domain you planned to decommission next month. $12/year × 10 years = $120. That's your insurance against "forgot to renew" disaster. Cost of one team lunch.

Pick your registrar wisely.

Option A: Modern & developer-friendly

• Cloudflare Registrar, AWS Route 53
• API-first, reasonable security, fair pricing

Option B: Corporate & paranoid

• MarkMonitor, CSC, Safenames
• Expensive, slow, DNS changes require signed letter from 6 people
• Sometimes that's exactly what you want
• They provide SLAs, insurance, legal protection
• When your domain is worth more than your office furniture, bureaucracy becomes a feature