Best Practices for Express Domain Integration

The following best practices ensure the long-term stability and security of your Express Domain Integration. Refer to Set Up a Custom Tracking Domain for the initial setup.

circle-check

Maintain required DNS configuration

To ensure your custom tracking domain continues to work reliably and to prevent tracking disruptions, follow these DNS guidelines:

  • Keep the CNAME record for your custom tracking subdomain pointing to:

customtracking.impact.com.cdn.cloudflare.net
  • Do not remove or modify this CNAME record unless instructed by impact.com.

  • We recommend using a low TTL (for example, 300 seconds) to allow faster propagation during recovery or migration.

  • Carefully review DNS changes before publishing. Incorrect configuration may prevent tracking links from resolving.

circle-exclamation

Configure CAA records

If your organization uses Certificate Authority Authorization (CAA) DNS records to restrict which certificate authorities can issue SSL certificates for your domain, you must allow the certificate authority used for your tracking domain.

CAA records configured on a parent domain apply to all subdomains unless overridden.

circle-info

For example: CAA records on yourcompany.example will also apply to goto.yourcompany.example.

chevron-rightRequired CAA recordhashtag

Add and ensure the following issuer is permitted:

yourcompany.example. CAA 0 issue "pki.goog"

SSL certificates are issued through Google Trust Services (pki.goog).

chevron-rightCheck your current CAA recordshashtag

Inspect your domain's CAA records using a DNS lookup tool or the command line: dig CAA yourcompany.example.

If the response is empty (no CAA records), no action is required. All certificate authorities are implicitly permitted.

If the response contains issue entries, verify that pki.goog and letsencrypt.org are included.

If you don't currently have CAA records, you don't need to add them. However, if you add or tighten CAA restrictions in the future, ensure the required issuers remain permitted. Otherwise, SSL certificate renewal will fail and your custom tracking domain will stop working.

circle-check

Coordinate DNS and security changes

Before making changes to your tracking domain or its parent domain, coordinate with your internal DNS or security team and notify your impact.com Customer Success (CS) Team.

Before applying changes, we recommend:

  • Confirming that the required CNAME target (customtracking.impact.com.cdn.cloudflare.net) will remain in place.

  • Confirming that the required CAA issuer (pki.goog) remains permitted at all applicable domain levels.

  • Reviewing changes carefully to ensure they don't affect DNS resolution or SSL certificate issuance for your tracking domain.

chevron-rightChanges that can affect your custom tracking domainhashtag
  • CNAME records (tracking subdomain or parent domain)

  • CAA records at any level of the domain hierarchy

  • DNSSEC configuration

  • DNS provider migration or hosting changes

  • Domain ownership, delegation, or registrar transfers

  • Security policies that affect certificate issuance or DNS resolution

SSL certificate management

SSL certificates for your custom tracking domain are automatically provisioned and renewed by impact.com via Cloudflare.

  • Don't attempt to issue, install, or manage SSL certificates for your tracking subdomain manually.

  • Don't provision certificates for your tracking subdomain through a separate certificate authority. This may conflict with automated renewal.

  • No action is required for certificate renewal under normal operation.

Verify your tracking domain regularly

Confirm your tracking domain is working by visiting the following endpoint in your browser:

Replace goto.yourcompany.example with your tracking domain.

A healthy response will contain tracking.

If this endpoint does not load, returns a certificate error, or does not contain appName: tracking, your custom tracking domain may not be functioning correctly. We recommend checking this endpoint after any DNS or security changes and setting up automated monitoring to detect issues before they affect tracking.

Troubleshooting and support

If your tracking domain stops resolving or links stop redirecting:

  1. Verify your CNAME record is still pointing to:

  1. Check for recent changes in DNS, CAA, or security settings.

  2. Contact supportarrow-up-right and provide your custom tracking domain, when the issue started, and any recent security changes.

Last updated

Was this helpful?