# Best Practices for Express Domain Integration

The following best practices ensure the long-term stability and security of your *Express Domain Integration*. Refer to [Set Up a Custom Tracking Domain](/brand/what-would-you-like-to-learn-about/platform-features/tracking/set-up-tracking/set-up-a-custom-tracking-domain.md) for the initial setup.

{% hint style="success" %}
**Note:** If you are using Custom Proxy Configuration, your organization manages SSL certificates and DNS security policies directly through your CDN provider, and the certificate-related requirements below do not apply.
{% endhint %}

#### Maintain required DNS configuration

To ensure your custom tracking domain continues to work reliably and to prevent tracking disruptions, follow these DNS guidelines:

* Keep the CNAME record for your custom tracking subdomain pointing to:

```
customtracking.impact.com.cdn.cloudflare.net
```

* Do not remove or modify this CNAME record unless instructed by impact.com.
* We recommend using a low TTL (for example, 300 seconds) to allow faster propagation during recovery or migration.
* Carefully review DNS changes before publishing. Incorrect configuration may prevent tracking links from resolving.

{% hint style="warning" %}
**Important:** Removing or modifying this CNAME record will immediately break your custom tracking domain. SSL certificate issuance and renewal depend on this record remaining in place.
{% endhint %}

#### Configure CAA records

If your organization uses *Certificate Authority Authorization (CAA)* DNS records to restrict which certificate authorities can issue SSL certificates for your domain, you must allow the certificate authority used for your tracking domain.

CAA records configured on a parent domain apply to all subdomains unless overridden.

{% hint style="info" %}
**For example:** CAA records on `yourcompany.example` will also apply to `goto.yourcompany.example`.
{% endhint %}

<details>

<summary>Required CAA record</summary>

Add and ensure the following issuer is permitted:

`yourcompany.example. CAA 0 issue "pki.goog"`

SSL certificates are issued through Google Trust Services (`pki.goog`).

</details>

<details>

<summary>Recommended CAA record</summary>

We recommend permitting `letsencrypt.org`:

`yourcompany.example. CAA 0 issue "letsencrypt.org"`

This helps prevent disruptions if certificate providers change in the future.

</details>

<details>

<summary>Check your current CAA records</summary>

Inspect your domain's CAA records using a DNS lookup tool or the command line: `dig CAA yourcompany.example`.

If the response is empty (no CAA records), no action is required. All certificate authorities are implicitly permitted.

If the response contains `issue` entries, verify that `pki.goog` and `letsencrypt.org` are included.

If you don't currently have CAA records, you don't need to add them. However, if you add or tighten CAA restrictions in the future, ensure the required issuers remain permitted. Otherwise, SSL certificate renewal will fail and your custom tracking domain will stop working.

{% hint style="success" %}
**Note:** CAA records are controlled by your DNS provider. impact.com cannot override CAA restrictions for your domain.
{% endhint %}

</details>

#### Coordinate DNS and security changes

Before making changes to your tracking domain or its parent domain, coordinate with your internal DNS or security team and notify your impact.com Customer Success (CS) Team.

Before applying changes, we recommend:

* Confirming that the required CNAME target (`customtracking.impact.com.cdn.cloudflare.net`) will remain in place.
* Confirming that the required CAA issuer (`pki.goog`) remains permitted at all applicable domain levels.
* Reviewing changes carefully to ensure they don't affect DNS resolution or SSL certificate issuance for your tracking domain.

<details>

<summary>Changes that can affect your custom tracking domain</summary>

* CNAME records (tracking subdomain or parent domain)
* CAA records at any level of the domain hierarchy
* DNSSEC configuration
* DNS provider migration or hosting changes
* Domain ownership, delegation, or registrar transfers
* Security policies that affect certificate issuance or DNS resolution

</details>

#### SSL certificate management

SSL certificates for your custom tracking domain are automatically provisioned and renewed by impact.com via Cloudflare.

* Don't attempt to issue, install, or manage SSL certificates for your tracking subdomain manually.
* Don't provision certificates for your tracking subdomain through a separate certificate authority. This may conflict with automated renewal.
* No action is required for certificate renewal under normal operation.

#### Verify your tracking domain regularly

Confirm your tracking domain is working by visiting the following endpoint in your browser:

Replace `goto.yourcompany.example` with your tracking domain.

```
https://goto.yourcompany.example/monitor-stats/ma_hostInfo.appName
```

A <mark style="color:$success;">healthy</mark> response will contain `tracking`.

If this endpoint does not load, returns a certificate error, or does not contain `appName: tracking`, your custom tracking domain may not be functioning correctly. We recommend checking this endpoint after any DNS or security changes and setting up automated monitoring to detect issues before they affect tracking.

#### Troubleshooting and support

If your tracking domain stops resolving or links stop redirecting:

1. Verify your CNAME record is still pointing to:

```
customtracking.impact.com.cdn.cloudflare.net
```

2. Check for recent changes in DNS, CAA, or security settings.
3. [Contact support](https://app.impact.com/support/portal.ihtml?createTicket=true) and provide your custom tracking domain, when the issue started, and any recent security changes.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.impact.com/brand/what-would-you-like-to-learn-about/platform-features/tracking/set-up-tracking/best-practices-for-express-domain-integration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.