Seeing the “SOA expire value out of recommended range” warning means your domain’s Start of Authority (SOA) record has an expiration time set outside DNS best practices. While not a critical issue, it’s a sign that your domain could be vulnerable to downtime or delayed updates, which can snowball into something bigger. 

Understanding how the expire value works and adjusting it to the recommended 2-4 week range keeps your domain healthy and compliant with DNS standards.

What Is an SOA Record?

A SOA record is a type of DNS record that includes important information, such as the administrator’s email address, refresh server timeframe, and domain updating history. When you configure it in your respective DNS, it helps you align with the Internet Engineering Task Force standards. You need DNS SOA records for effective zone transfers as you send them from a primary server to a secondary one.

A typical DNS SOA record includes important details, such as:

• Serial Number: A version counter that ticks up with every change.
• Primary Name Server: The main server in charge.
• Responsible Email Address: The administrator’s email address.
• Refresh: A countdown for secondary servers to ask for updates.
• Retry: How long a secondary server should wait after a failed check.
• Expire: This value specifies the upper limit, in seconds, that a secondary server will continue to consider its zone data authoritative after its last successful contact with the primary server.
• Minimum TTL: Traditionally, this field defined the default TTL for negative caching (how long ‘no such domain’ answers are stored). Modern DNS software may use it as the default TTL for records that don’t specify one.

Understanding the Expire Value

The expire value is a timer, measured in seconds, with a singularly important purpose: it tells a secondary DNS server how long it should continue to trust its local data when the primary server has gone silent.

Think of it as a final countdown for a zone transfer. If a secondary server cannot reach the primary to get updates, this timer starts ticking. It doesn’t delete the zone data, but stops serving it until contact with the primary is re-established.

Here’s how it happens:

The Countdown Begins

When a secondary server fails to connect with the primary, it relies on its last known copy of your DNS records. The expire value instructs that copy’s lifespan.

Data Deemed Unreliable

If the timer runs out before the secondary server can re-establish contact, something important happens. The server deems its zone files “expired” and its data too old to be trustworthy.

Queries Go Unanswered

At this point, the secondary server essentially throws its hands up. It stops serving authoritative responses for the zone and returns SERVFAIL instead. This is a protective measure to prevent the spread of ancient, incorrect information across the web.

The Sweet Spot

While not an enforced standard, RFC 1912 and common DNS best practices recommend an expire range of 2-4 weeks. This window gives an administrator ample time to fix a primary server problem without causing secondary servers to abandon the zone prematurely.

What Causes the “Out of Recommended Range” Warning?

So, who is the culprit behind this alert? The root cause is almost always a number that falls outside that two-to-four-week window.

Overly Short Expire Time

An overly short expire time means a temporary network hiccup could cause your secondary servers to give up on your domain, which creates needless outages.

Overly Long Expire time 

An excessively long value lets outdated records persist for months if your primary server suffers a catastrophic failure.

Inaccurate Automated Setups 

Some hosting panels use default templates with questionable values.

Simple Typos

A misplaced digit during a manual setup can easily throw the value out of bounds.

Recommended SOA Expire Value Range

The wise sages of the internet (in this case, RFC 1912) suggest a balance. You need enough time to fix a major server issue, but not so much time that bad data pollutes the ecosystem.

Think of it like this:

•  2419200 seconds (28 days). Just right.
•  86400 seconds (1 day). Triggers a warning. Too risky.
• 99999999 seconds (3+ years). Triggers a warning. Way too relaxed

A solid, safe choice is 1209600 seconds, which equals 14 days.

Expire Value	Duration	Result
86400	1 day	Too short — risky
1209600	14 days	Recommended
2419200	28 days	Recommended
99999999	3+ years	Too long — outdated

How to Fix the “SOA Expire Value Out of Recommended Range” Warning

Time to roll up your sleeves. The fix is a quick one.

1. Open DNS Control Panel

Log in to your domain registrar or DNS provider (PowerDNS, Cloudflare, cPanel, etc.). Keep in mind that your ability to view and modify the SOA record will depend on the interface and permissions provided by your specific provider.

2. Find the SOA Record

This record often lives in its own section, separate from your A or CNAME records. Look for a “Zone Settings” or “Advanced DNS” area.

3. Set the expire value to 1209600–2419200 

Locate the “Expire” field. Replace the current number with one inside the recommended range, like 1209600.

4. Save and Propagate

Commit your changes. Your DNS provider should automatically increase the serial number. If not, increment the serial manually to ensure secondaries detect the change. This signals to the rest of the internet that a new, better version of your record exists.

Pro Tip: When setting your SOA values, always ensure that your Expire value is larger than the Refresh and Retry values combined (Expire > Refresh + Retry). This logical check prevents the zone from expiring before the secondary server has even had a chance to complete its retry cycle.

Example: Before and After

The Troublemaker Record 

REFRESH: 86400

RETRY: 7200

EXPIRE: 604800  ; <– The problem (7 days)

A short EXPIRE value is a problem because a 7-day timer is often too short to resolve major server issues. When the EXPIRE timer runs out, secondary servers stop answering queries for your domain. This means your website and email can go offline for many users. A short value also provides a weak safety net that can break precisely when you need it most. 

The Happy, Healthy Record 

REFRESH: 86400

RETRY: 7200

EXPIRE: 1209600 ; <– Corrected (14 days)

Quick tip: When you save, your serial number should also update to a higher value. The serial number is a simple version number for your DNS zone. Think of it like the version number on a software update (e.g., v1.0, v1.1, v1.2). Every time you make a change to your DNS records (any change at all), you must increase the serial number.

Why Proper SOA Configuration Matters

A well-tuned SOA record is more than a checked box on a diagnostics report. It helps:

• Create stability: Your domain behaves predictably, even when one of its core servers has a bad day.
• Fortify reliability: You prevent secondary servers from prematurely abandoning your domain over a temporary glitch.
• Show good practice: A clean DNS configuration builds a foundation of trust and shows you respect the rules of the internet.

How to Verify if Your SOA Record is within the Recommended Expire Range?

You can use PowerDMARC’s dedicated, free SOA checker tool to check your DNS SOA record. 

Just enter a relevant domain (e.g., PowerDMARC.com), and the following page will display the ‘A’ record. Select ‘SOA’ to check the records. It only takes a few seconds but provides accurate results on which you can rely. It will show you the problems in your record so that you can fix them as soon as possible. The exact process is shown below.

The Final Word

The “SOA Expire Value Out of Recommended Range” warning is not a catastrophe; it is more of a correction and redirection mechanism on your digital journey. Take a moment to adjust the value, and you will have a healthier, more robust domain for it.

Fixing your SOA expire value takes just minutes, but can save hours of troubleshooting later. Run a free domain health scan now with PowerDMARC’s Domain Analyzer to keep your DNS configurations error-free and compliant. 

Frequently Asked Questions

1. Is the “SOA expire value out of range” warning serious? 

It’s not serious enough to take your site down, but it’s a DNS best practice you should follow to ensure your domain remains reliable in case a primary server outage happens.

2. Will changing my SOA record cause my website to go down? 

No. It’s a safe and routine change that will not cause any downtime.

3. What happens if I ignore the “SOA Expire Value Out of Recommended Range” Warning

If you ignore it, your domain may work fine for a while, but if your main DNS server goes down too long, backups may stop serving your zone, causing downtime or email issues.

*** This is a Security Bloggers Network syndicated blog from PowerDMARC authored by Yunes Tarada. Read the original post at: https://powerdmarc.com/soa-expire-value-out-of-recommended-range/