search
Ctrlk
Developer DocsContact SupportLog In

Best Practices for Express Domain Integration

The following best practices ensure the long-term stability and security of your Express Domain Integration. Refer to Set Up a Custom Tracking Domain for the initial setup.

circle-check

Note: If you are using Custom Proxy Configuration, your organization manages SSL certificates and DNS security policies directly through your CDN provider, and the certificate-related requirements below do not apply.

hashtag
Maintain required DNS configuration

To ensure your custom tracking domain continues to work reliably and to prevent tracking disruptions, follow these DNS guidelines:

  • Keep the CNAME record for your custom tracking subdomain pointing to:

customtracking.impact.com.cdn.cloudflare.net

  • Do not remove or modify this CNAME record unless instructed by impact.com.

  • We recommend using a low TTL (for example, 300 seconds) to allow faster propagation during recovery or migration.

  • Carefully review DNS changes before publishing. Incorrect configuration may prevent tracking links from resolving.

circle-exclamation

Important: Removing or modifying this CNAME record will immediately break your custom tracking domain. SSL certificate issuance and renewal depend on this record remaining in place.

hashtag
Configure CAA records

If your organization uses Certificate Authority Authorization (CAA) DNS records to restrict which certificate authorities can issue SSL certificates for your domain, you must allow the certificate authority used for your tracking domain.

CAA records configured on a parent domain apply to all subdomains unless overridden.

circle-info

For example: CAA records on yourcompany.example will also apply to goto.yourcompany.example.

chevron-rightRequired CAA recordhashtag

Add and ensure the following issuer is permitted:

yourcompany.example. CAA 0 issue "pki.goog"

SSL certificates are issued through Google Trust Services (pki.goog).

chevron-rightRecommended CAA recordhashtag

We recommend permitting letsencrypt.org:

yourcompany.example. CAA 0 issue "letsencrypt.org"

This helps prevent disruptions if certificate providers change in the future.

chevron-rightCheck your current CAA recordshashtag

Inspect your domain's CAA records using a DNS lookup tool or the command line: dig CAA yourcompany.example.

If the response is empty (no CAA records), no action is required. All certificate authorities are implicitly permitted.

If the response contains issue entries, verify that pki.goog and letsencrypt.org are included.

If you don't currently have CAA records, you don't need to add them. However, if you add or tighten CAA restrictions in the future, ensure the required issuers remain permitted. Otherwise, SSL certificate renewal will fail and your custom tracking domain will stop working.

circle-check

Note: CAA records are controlled by your DNS provider. impact.com cannot override CAA restrictions for your domain.

hashtag
Coordinate DNS and security changes

Before making changes to your tracking domain or its parent domain, coordinate with your internal DNS or security team and notify your impact.com Customer Success (CS) Team.

Before applying changes, we recommend:

  • Confirming that the required CNAME target (customtracking.impact.com.cdn.cloudflare.net) will remain in place.

  • Confirming that the required CAA issuer (pki.goog) remains permitted at all applicable domain levels.

  • Reviewing changes carefully to ensure they don't affect DNS resolution or SSL certificate issuance for your tracking domain.

chevron-rightChanges that can affect your custom tracking domainhashtag

  • CNAME records (tracking subdomain or parent domain)

  • CAA records at any level of the domain hierarchy

  • DNSSEC configuration

  • DNS provider migration or hosting changes

  • Domain ownership, delegation, or registrar transfers

  • Security policies that affect certificate issuance or DNS resolution

hashtag
SSL certificate management

SSL certificates for your custom tracking domain are automatically provisioned and renewed by impact.com via Cloudflare.

  • Don't attempt to issue, install, or manage SSL certificates for your tracking subdomain manually.

  • Don't provision certificates for your tracking subdomain through a separate certificate authority. This may conflict with automated renewal.

  • No action is required for certificate renewal under normal operation.

hashtag
Verify your tracking domain regularly

Confirm your tracking domain is working by visiting the following endpoint in your browser:

Replace goto.yourcompany.example with your tracking domain.

A healthy response will contain tracking.

If this endpoint does not load, returns a certificate error, or does not contain appName: tracking, your custom tracking domain may not be functioning correctly. We recommend checking this endpoint after any DNS or security changes and setting up automated monitoring to detect issues before they affect tracking.

hashtag
Troubleshooting and support

If your tracking domain stops resolving or links stop redirecting:

  1. Verify your CNAME record is still pointing to:

  1. Check for recent changes in DNS, CAA, or security settings.

  2. Contact supportarrow-up-right and provide your custom tracking domain, when the issue started, and any recent security changes.

PreviousSet Up a Custom Tracking DomainNextTroubleshoot Broken Tracking Links

Last updated

Was this helpful?