| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by elliottinvent 1135 days ago

Thanks for your feedback.

> So whats the actual verification process look like? You give the SP the subdomain generated and they query TXT records from there? how does the actual verification work here and when/how does the user receive an email?

1. You sign up to service provider like Google Ads

2. They verify your email as part of normal onboarding

3. You tell them you own example.com (no need to give them a subdomain)

4. They run a Domain Verification check using your already verified email (they hash your email and run a DNS query based on that hash)

  a) If the check passes, your domain is verified

  b) If the check fails, they could invite you to verify another email (back to step 4)

5. If Domain Verification isn't ultimately successful, they can either:

  a) instruct you to create a DV record; or

  b) default to current domain verification method (store a random string in DNS)

1 comments

jeroenhd 1135 days ago

Does this mean this service doesn't work if you use unique email addresses for different services? By that I mean example+tag@gmail.com, catch-all email addresses, Apple's and Mozilla's email anonymization services, and so on.

elliottinvent 1135 days ago

Really interesting point, thanks.

> Does this mean this service doesn't work if you use unique email addresses for different services?

It wouldn't work "out of the box".

The DNS record is stored at a DNS location based on the hash of the email, so you would need to:

a. Setup a domain verification record for each email (not that realistic); or

b. Use an email address specifically for domain verification (a different one to your unique user email) and consider any non-verification emails to be spam

Immediate thoughts are that the spec could encourage service providers to run two checks if the email address include a tag, given the email:

example+tag@gmail.com, they first check for a Domain Verification record for example+tag@gmail.com, then tag@gmail.com

However, this would seem to introduce an attack vector for users with email providers that don't recognise tagging.

I'll give this some more thought, thanks a lot for bringing it up – exactly why I'm here.