Six things that break in your first month post-launch (and how to prevent them)

"It's live!" — out of an engineer's mouth, that's a project closing. From the owner's side, the real problems are just starting.

A site in its first 30 days post-launch is like a freshly bought car — all the factory defects surface during this window. Here are the six disasters I've seen most often (in sites I've built and sites I've inherited), plus how to prevent each.

If you're about to launch, or just launched and bracing for fires, this one's for you.

1 · Email never reaches the customer's inbox

Symptom: Your contact form gets submitted, but hello@yourdomain.com receives nothing. Or it does, but the customer says "I sent it!"

Cause: SPF / DKIM / DMARC not configured. These are the "identity verification" mechanisms for email. Without them, Gmail / Outlook silently flag your messages as spam or block them outright.

How to prevent

If you're using Resend / SendGrid / Postmark:

1. Add your domain in their dashboard
2. Get the 3-4 DNS records they generate (SPF + DKIM)
3. Add them at your DNS provider (Cloudflare / GoDaddy)
4. Wait for verification (minutes to hours)

Test method: Send a message via mail-tester.com — it scores you 0-10. Below 8, fix it.

My habit: Do this a week before launch. Discovering broken email at launch is too late.

2 · Form submissions get bot-spammed into oblivion

Symptom: By day 3, your inbox has 30 fake "inquiries" daily — Russian, simplified Chinese, or link-farm content, sent from xxx@gmail.com addresses that look real.

Cause: Your contact form has no spam protection. Crawlers find the form and auto-fill it.

How to prevent

Two layers minimum:

1. Honeypot field (free, effective): Add a hidden form field (CSS display: none). Real users don't see it; bots fill everything. Drop submissions where the honeypot is non-empty.

const schema = z.object({
  // ...
  website: z.string().max(0).optional(), // honeypot
});
 
if (data.website) {
  return NextResponse.json({ ok: true }); // pretend success, don't save
}

2. Cloudflare Turnstile or reCAPTCHA v3 (free, advanced): Invisible verification, no UX disruption. Way better than v2's "click the traffic lights."

99% of spam dies at layer one. Skip this and your inbox is unusable within a week.

3 · Mobile layout is exploded but you didn't notice

Symptom: Looks perfect on your laptop. After launch, customer messages: "Your images are crammed together on my phone." You check on mobile — yep, exploded.

Cause: You built primarily on a laptop. Tailwind / CSS responsive breakpoints have gaps you didn't test, or fonts render different sizes between iOS and Android.

How to prevent

"Resize the browser" is not enough. You need:

1. Real device testing: At least 3 — your iPhone, a friend's Android, an iPad
2. Chrome DevTools device toolbar: Run through 5-6 sizes (iPhone SE / 12 / 15 Pro Max / iPad Mini / iPad Pro)
3. Pay extra attention to: hero headlines, navigation, forms, CTA buttons, image grids

Most common offender: font size. text-5xl is gorgeous on desktop, screen-bleeding on iPhone SE. The right way is text-3xl md:text-4xl lg:text-5xl.

4 · SEO traffic "mysteriously" drops

Symptom: Old site got a redesign or rebuild. Two weeks post-launch, GA traffic is down 40%. Owner panics.

Causes (top three):

1. Old URLs not redirected to new URLs — Google hits 404s and drops the rankings
2. New sitemap never submitted — Google doesn't know where the new pages are
3. robots.txt accidentally blocks the entire site — happens more than once

How to prevent

Pre-launch checklist:

• Export every old URL from Google Search Console
• Map each to a new URL, set up 301 redirects (in next.config.js or middleware)
• Verify robots.txt is NOT Disallow: / (seen this several times)
• Submit new sitemap to Google Search Console immediately after launch
• Use GSC's "URL Inspection" tool on a few important pages

The most painful trap: copying staging's robots.txt (which has Disallow: / to prevent indexing) into production. Google de-indexes you and you don't notice for weeks.

5 · SSL cert expires and nobody catches it

Symptom: 80-90 days post-launch, customer calls: "Your site won't open, there's a red warning." You check — "Your connection is not private." SSL expired.

Cause: Let's Encrypt certs are 90-day. Auto-renew failed, or was never set up.

How to prevent

If you're on Vercel / Netlify / Cloudflare → automatic, don't worry about it.

If you're on VPS or traditional hosting:

1. Cron job that runs certbot renew monthly
2. Alert "30 days before SSL expires" (Uptime Robot free tier has this)
3. Manual quarterly check

My hard rule: I don't manage my own SSL when Vercel / Cloudflare can do it for me. SSL expiry is "shouldn't happen" territory — not worth the engineering hours.

6 · Images load so slow customers think the site is broken

Symptom: Homepage takes 8+ seconds before images appear. Customers describe the site as "laggy."

Cause:

• Uploaded original 4032×3024 phone photos (5MB each)
• No webp / avif format
• No lazy loading
• No image CDN

How to prevent

Practical fixes:

1. Convert to webp: Use cwebp or squoosh.app. Same quality, 60-80% smaller files
2. Cap maximum dimensions: Hero 2400px max, content images 1600px max
3. Use Next.js <Image> component: Auto lazy-loading + responsive sizes + format negotiation
4. Run Lighthouse: Mobile mode on homepage, Performance score should be > 80; under 60 means customers will feel "slow"

Most extreme case I've seen: a client's homepage had 12 original-resolution product photos totalling 47MB. Homepage took 12 seconds to load. Converted to webp + capped at 1200px wide → 2.3MB, 1.5 seconds. Same site, bounce rate dropped from 70% to 35%.

A 1-week pre-launch final checklist

Combining all of the above:

Email & forms
[ ] SPF / DKIM configured, mail-tester score 9+
[ ] Form honeypot or Turnstile hooked up
[ ] Inbox tested 3 times, all 3 land in primary inbox

Mobile & cross-device
[ ] iPhone tested on every page
[ ] Android tested on every page
[ ] iPad / tablet tested

SEO & redirects
[ ] Old URL → new URL mapping done
[ ] 301 redirects configured
[ ] robots.txt is NOT Disallow: /
[ ] sitemap.xml is accessible
[ ] Google Search Console added, sitemap submitted

Performance
[ ] Images converted to webp, dimensions capped
[ ] Lighthouse mobile score > 80
[ ] Hero LCP < 2.5s

Monitoring
[ ] Uptime monitor configured (UptimeRobot free is fine)
[ ] SSL auto-renewal verified
[ ] Error logs have an owner (Sentry free / Vercel logs)

10 items. Each one is "skip it and regret it within a week" tier.

Launch isn't the finish line — it's a handoff

A lot of agencies treat "launch" as project completion. A serious agency treats the first 30 days as the warranty window — bugs surfacing during this period get fixed without re-billing.

If you're preparing to launch, print this checklist and walk through it with your agency. If they dodge, say "these aren't required for launch" — they're not building a site, they're rushing a deliverable.

If you want an agency that treats these 10 items as the floor, not the ceiling, book a 15-minute call. Every project I ship walks through this checklist — not because I'm extra-conscientious, but because skipping these steps guarantees a panicked client call six months later.