Summary

Verification of email addresses and telephone numbers is an important part of online identity and has become as simple as clicking an email verification link, or receiving an SMS verification code. The aim of the Domain Verification protocol is to make it just as easy to verify a domain name.

The Domain Verification Protocol aims to automate the domain name verification process – where a domain name owner is asked to verify that they have control over a domain name. This is currently a process employed by hundreds of companies: giants like Google, Apple, Amazon, Microsoft, Adobe and Cisco, as well as startups.

TL;DR

A Domain Verification record is a DNS TXT record published to a DNS name derived from a hash digest of the verified email or telephone number of an authorised party. Domain owners and DNS Providers create Domain Verification Records; Service Providers read them.

The traditional domain verification process

This is how domain verification has worked since the mid-2000s:

• A domain owner adds their domain name to a service (e.g. Google Search console, Facebook Business Manager, etc).
• The service provider asks the domain owner to verify they have control over the domain name by adding a DNS record (usually TXT or CNAME record) via their DNS provider.
• The domain owner logs into their DNS provider and creates the DNS record.
• The service provider queries the newly created DNS record to verify that the domain owner has control over the domain name. If found, the service provider allows the domain owner to add their domain to the service.

The process is repeated for each domain name added to each service provider.

Friction, dangers, inefficiencies and limitations

• Many domain owners are blocked at step 2 and 3 of the traditional process, because they don’t understand the service provider’s request or don’t have direct access to their DNS settings. This friction creates a significant barrier to a service provider onboarding their customers.
• Domain owners can inadvertently break DNS (potentially taking their website / email offline) when adding verification records.
• Since this process is repeated for each service provider, it’s highly inefficient for users and pollutes DNS zones.
• Depending on the domain owner’s DNS provider and the DNS tools they offer, it may simply be impossible for the domain owner to add the record requested by the service provider.
• Where a domain owner instructs a third party to act on their behalf (e.g. SEO agency, social media management, marketing, etc) the third party instructs the domain owner to create the TXT record, this gives the domain owner little control over the permissions granted to the third party by the service provider.

The Domain Verification Protocol process

This is how domain name verification works with the Domain Verification protocol:

• A domain owner adds their domain name to a service (e.g. Google Search console, Facebook Business Manager, etc).
• The service provider queries the DNS for a Domain Verification record at a DNS location based on the hash of the email or phone number supplied and verified during typical customer onboarding.
• If a record is found: the service provider allows the domain owner to add their domain to the service and the process is complete.
• If a record is not found: the service provider instructs the domain owner to create a Domain Verification record and then verifies it at step 2.

Every subsequent service provider can use the same Domain Verification record.

How does it work?

A Domain Verification record is a DNS TXT record published to a subdomain derived from a hashed verifiable identifier (e.g. an email address or telephone number) that an authorised party can prove control over. For more detailed information take a look at the specification.

For DNS Providers and Service Providers

To discuss licensing and implementation please contact us.

Create your Domain Verification record

The Domain Verification protocol is free for domain owners to adopt, you can configure your Domain Verification record now using the tool below.

None of the data you enter will be used for anything other than building your record.

Domain Name (optional):

Verifiable Identifier:

Grant access to all services?

Yes No, set restrictions

Grant access to any service in these categories:

SEO Email Marketing Storage Security

AND, any service provided by these service providers:

AND, any service matching these names:

Set an expiry date for this association?

No, associate indefinitely Yes

Set the expiry date:

Set Privacy

The association between the domain and verifiable identifier listed above is hidden: only someone that knows both the domain and verifiable identifier and suspects an association between the two can use a Domain Verification record to confirm the association. However, if this association is highly sensitive – e.g. a website operated anonymously – you can select "Secret" and only authorised Service Providers will be able to verify the association. Technical explanation: We add a salt to the verifiable identifier before hashing it and only licensed service providers have access to salts.

Hidden (recommended) Secret

Description (optional):

Since the verifiable identifier isn't stored in the record itself, you can use a description to help keep track of which record is for which authorised party. For the privacy conscious, it's not recomended to store the verifiable identifier in this field, but you could store a hint. For example, instead of using "john.smith@example.com", use "JS email".