When we built custom domain support for Jottings, one of the first decisions we had to make was: how do we verify that you actually own the domain you're trying to connect?
It's a deceptively simple question with profound implications for security. We could have chosen several different approaches, but we landed on TXT record validation—and I want to explain why, because it teaches you something about how secure platforms work.
The Problem We're Solving
Imagine I'm a malicious actor and I notice that your website gets decent traffic. What if I could somehow make yourdomain.com point to my Jottings site, so all your traffic flows to my content? Or worse, I could impersonate you to your audience.
Without domain verification, this would be trivially easy. When you add a custom domain to Jottings, we need to prove beyond doubt that you control that domain's DNS, not some attacker.
This is why every major hosting provider, from Vercel to GitHub Pages to Squarespace, requires some form of domain verification. The question is which approach to use.
The Alternatives (And Why We Didn't Choose Them)
CNAME-Only Verification
How it works: You point a CNAME record from your domain to our server. We check if it resolves correctly, and boom—you own it.
Why it seemed tempting: It's the simplest setup for users. Just one DNS record instead of multiple.
Why we rejected it: CNAME records have a critical weakness. You can only have one CNAME per hostname. So if you already have a CNAME pointing to another service (like a CDN), you can't add a CNAME to Jottings without breaking that connection.
TXT records, by contrast, can coexist with other DNS configurations. You can have a CNAME, A records, MX records, and multiple TXT records all pointing to the same hostname. They don't conflict.
Email-Based Verification
How it works: We send a verification email to admin@yourdomain.com or a domain contact email. You click the link, and we trust you.
Why it seemed tempting: It feels familiar—every SaaS app does this for email verification.
Why we rejected it: Email addresses for domain admin contacts aren't always current or secure. An attacker might have hijacked your email provider account, or you might have used a third-party registrar that controls the email. Worse, email is unencrypted and vulnerable to spoofing.
DNS-based verification is cryptographically stronger. If you control the DNS for a domain, you genuinely control that domain in a way that email-based checks can't guarantee.
HTTP/File Upload Verification
How it works: You upload a verification file to your domain at a specific URL (e.g., yourdomain.com/.well-known/jottings-verification.txt). We fetch it and confirm it matches our token.
Why it seemed tempting: It's another DNS-free option, and it mirrors how Let's Encrypt and other certificate authorities work.
Why we rejected it: This approach requires your domain to be publicly accessible and serving HTTP/HTTPS correctly. If you're in the middle of setting up your domain, migrating hosting, or had an outage, verification would fail. It's also more fragile—it depends on your web server being configured correctly.
With TXT records, verification is purely at the DNS level, independent of whether your web server is running, what software you're using, or your infrastructure setup.
How TXT Record Validation Works
Here's the technical flow when you connect a custom domain to your Jottings site:
Step 1: You Add Your Domain
You enter blog.example.com in the Jottings dashboard and click "Connect Domain."
Step 2: We Create Records with Cloudflare
We work with Cloudflare's SSL for SaaS platform (which powers our domain feature) to generate two records you need to add:
- A TXT record for ownership verification - This proves you control the DNS
- A TXT record for SSL validation - This proves you control the domain for certificate issuance
- A CNAME record for routing - This points your traffic to our servers
Step 3: You Add DNS Records
You log into your domain registrar (GoDaddy, Namecheap, whatever) and add these records. This typically takes 5-60 minutes to propagate.
Step 4: We Verify
When you click "Check Verification" (or when you visit your site), our system queries your DNS looking for those TXT records. If they're there and correct, we know you own the domain.
User controls domain registrar →
User adds TXT record to DNS →
Jottings queries public DNS →
TXT record matches our token →
Verification succeeds
Step 5: SSL Certificate Issued
Cloudflare validates the second TXT record, issues an SSL certificate, and your site is live with HTTPS.
The whole process typically takes 15-90 minutes from start to finish, depending on DNS propagation times.
Why TXT Records Are More Secure
They Prove Direct Control
When you add a TXT record to your domain's DNS, you're accessing the authoritative source of truth for that domain. There's no middleman, no third-party platform, no email bouncing around. You literally changed the DNS configuration.
An attacker would need to compromise your domain registrar account, not just your email or website.
They're Immutable During Verification
Once you add the TXT record, we can verify it repeatedly. If an attacker somehow intercepts the verification email, they can't repeat it—the TXT record is still there in DNS, and only the domain owner (who controls registrar access) can remove it.
They're Cryptographically Validated
DNS itself isn't encrypted (though DNSSEC adds optional cryptographic signing), but the DNS lookup process is standardized and auditable. Major DNS providers have massive infrastructure and redundancy. If they report that a TXT record exists, it's almost certainly accurate.
They're Service-Agnostic
Unlike email verification, which depends on email provider security, or CNAME verification, which depends on your DNS setup being uncontended, TXT records work regardless of your other infrastructure. You could be migrating servers, your email could be down, your website might be temporarily broken—none of it matters.
The User Experience Tradeoff
I won't pretend TXT records are perfect. The tradeoff is slightly more complex than, say, email verification:
- Email verification: Click link, done. Single step.
- TXT record verification: Add two DNS records, wait for propagation, click verify. Multiple steps.
But here's what we discovered: users who care about security (which is most of our users—they're running their own presence online) appreciate the extra step. It feels more reliable, and it is more reliable.
Plus, once you've done it once, you understand the process. Most people add a domain once and never touch it again. The one-time friction is worth the security guarantee.
What Happens Next
After verification completes:
- Cloudflare issues an SSL certificate automatically (this is separate from the TXT verification, but uses the same records)
- We update our Workers KV store with the mapping from your custom domain to your Jottings site
- Your site is live at
blog.example.comwith full HTTPS support - We continue auto-checking your DNS records in the background to ensure they stay valid
If for some reason verification times out (we give you 24 hours), you can restart the process with a single click.
Why This Matters for You
If you run any online platform—a blog, newsletter, portfolio, or community—domain verification is the security foundation everything else is built on.
By choosing TXT record validation, we're saying: we trust the DNS system, not our own verification backend, to prove you own your domain. It's paranoid in the best way. We could make verification faster and easier, but we wouldn't gain security. We'd lose it.
When you're building something that's yours—your voice, your community, your audience—you want the platform holding it to be paranoid about security too.
Have questions about setting up a custom domain? Head over to our custom domains documentation or reach out to support. We're here to help make the process as smooth as possible.
And if you prefer the simplicity of Jottings' default subdomain.jottings.me address? Totally fine. Custom domains are there when you need them, not before.