Back to Blog
domain verification saas security best practices

Domain Verification Best Practices for SaaS Platforms

Learn how to implement domain ownership verification securely and efficiently in your SaaS application, with practical tips and common pitfalls to avoid.

D
By DomChekr Team ·

Domain ownership verification is a critical security step for any SaaS platform that allows users to connect their own domains. Whether you’re building a white-label solution, a custom email sender, or a multi-tenant application, verifying that your users actually own the domains they claim is non-negotiable.

Why Domain Verification Matters

Without proper domain verification, your platform is vulnerable to a range of attacks:

  • Domain hijacking: A malicious user could claim ownership of a domain they don’t control, redirecting traffic or intercepting sensitive data.
  • Phishing enablement: Unverified domains can be used to send fraudulent emails on behalf of legitimate brands.
  • Compliance failures: Many regulations (GDPR, DMARC policies) require proof of domain ownership before certain actions are permitted.

Choosing the Right Verification Method

Different verification methods suit different user types. Here’s when to use each:

DNS TXT Records

Best for: Technical users, developers, DevOps teams.

DNS TXT record verification is the gold standard. It’s reliable, doesn’t require the domain’s website to be online, and persists across server changes. The user adds a TXT record to their DNS zone, and you query it to confirm ownership.

domchekr-verification=abc123xyz

Pros: Works without a web server, survives website migrations, easy to automate. Cons: Requires DNS access, can take up to 48 hours to propagate (though usually minutes).

HTML Meta Tag

Best for: Non-technical users with website access.

Users add a <meta> tag to their homepage’s <head> section. This is familiar to anyone who has verified a site with Google Search Console.

<meta name="domchekr-verification" content="abc123xyz" />

Pros: No DNS knowledge needed, verifiable immediately. Cons: Fails if the website goes down, breaks if the tag is removed during a theme update.

File Upload

Best for: Users with FTP/SFTP access but limited DNS control.

A verification file is placed at a well-known path on the domain’s web server (e.g., /.well-known/domchekr-abc123xyz.txt).

Pros: Straightforward for hosting-savvy users. Cons: Requires web server access, file must remain in place.

Implementation Tips

1. Generate Cryptographically Secure Tokens

Never use predictable tokens. Use a cryptographically secure random generator:

import { randomBytes } from 'crypto';


function generateVerificationToken(): string {
  return randomBytes(32).toString('hex');
}

2. Set Reasonable Expiry Windows

Tokens should expire if unused, but give users enough time to act — 7 to 30 days is a reasonable window for most SaaS products.

3. Re-verify Periodically

Domain ownership can change. Build in periodic re-verification (monthly or quarterly) so that if a customer transfers or loses a domain, your platform detects it promptly via webhooks.

4. Provide Clear Error Messages

Vague errors kill user experience. If verification fails, tell users exactly what you found and what you expected:

❌ DNS TXT record not found. Expected: domchekr-verification=abc123xyz on example.com. Make sure you added it to the root of your domain, not a subdomain.

5. Use a Dedicated API

Building domain verification in-house is error-prone and time-consuming. APIs like DomChekr handle the complexity — multiple verification methods, automatic retries, webhook notifications, and monitoring — so your team can focus on your core product.

Common Pitfalls

  • Polling too aggressively: Check verification status at a reasonable interval. Hammering DNS servers can get your IPs rate-limited or blocked.
  • Not handling subdomain verification separately: app.example.com and example.com are different domains. Make sure your verification logic treats them independently.
  • Forgetting about TTL: DNS TTL values mean recent changes may not be visible immediately. Build in retry logic with exponential backoff.
  • No monitoring after verification: Domains expire, DNS records get deleted, websites go offline. Continuous monitoring after initial verification protects both you and your users.

Conclusion

Domain verification done right builds trust with your users and protects your platform. The key is to offer multiple verification methods to accommodate different technical skill levels, provide clear guidance and error messages, and monitor verified domains continuously.

If you’d rather not build all of this yourself, DomChekr provides an API-first platform with all four verification methods, real-time webhooks, and enterprise-grade reliability — so you can integrate in minutes instead of months.