Custom domains, DNS, SSL,
all the terms explained.

A non-standard DNS record type that behaves like a CNAME but is allowed at the apex. Implemented by several DNS providers under different names.

DNS Made Easy's branded version of ALIAS / CNAME flattening. Same purpose: CNAME-like behavior at the apex, returning A records to resolvers.

The bare domain without any subdomain prefix. The DNS standard doesn't allow CNAME records here, which is the root cause of a lot of custom-domain setup pain.

A SaaS feature where users provide a domain they already own and the SaaS makes it work, instead of the SaaS selling them the domain.

A DNS provider feature that lets you publish a CNAME-like record at the apex by resolving it server-side and returning A records to the resolver.

A domain a customer points at a SaaS product so their content serves under their own brand instead of the SaaS's default URL.

A REST API that lets a SaaS product accept and serve traffic on customer-owned hostnames, including TLS, routing, and DNS monitoring.

The category of SaaS that abstracts custom-domain infrastructure (TLS, routing, DNS monitoring) behind an API so other SaaS don't have to build it.

An API that lets you read and write DNS records programmatically. The underlying primitive most custom-domain SaaS products build on top of.

Programmatic creation and management of DNS records via API. The plumbing under any 'connect your domain' flow in a SaaS app.

A REST API for buying, transferring, and managing domain names programmatically. The registrar's automation layer for resellers and SaaS apps.

Mapping one domain to another so requests for the alias are served by the target. Implemented at DNS (CNAME), HTTP (redirect), or routing layer (transparent proxy).

An HTTP redirect that sends users from one domain to another. The address bar changes. Different from domain mapping, which is invisible to users.

Configuring a domain so requests to it are routed to a different destination at the application layer (e.g. proxied to your SaaS) rather than redirected via HTTP.

Two HTTP status codes for redirects. 301 means 'permanent, update your bookmarks'; 302 means 'temporary, keep coming to the original'. The choice affects SEO.

The architecture pattern for a SaaS serving thousands of customer-owned hostnames from a shared application backend, including per-domain TLS and per-domain routing.

A label prefixed to a domain, like 'shop' in shop.example.com. Used to delegate sections of a domain to different services or tenants.

A branded short URL. Often used loosely as a synonym for vanity domain; more precisely a path-based or shortener-style branded link.

A branded version of a SaaS-provided URL. Often a synonym for custom domain, sometimes used specifically for subdomains of the SaaS host.

Webhooks that fire when DNS or domain state changes (verified, cert issued, expired). The plumbing for keeping your app in sync with the domain platform.

A custom domain served by a SaaS in a way that completely hides the SaaS's name from end-users. The certificate, the HTTP headers, and the UI all read as the customer's brand.

A DNS record like *.example.com that matches every single-label subdomain. The foundation of cheap multi-tenant SaaS routing.

The DNS record type that maps a hostname to an IPv4 address. The fundamental routing primitive of the internet.

The IPv6 equivalent of an A record. Maps a hostname to an IPv6 address (128-bit, written in colon-separated hex groups).

DNS hosting where the same IP is announced from many physical locations. Queries route to the nearest. The reason Cloudflare and Route 53 are fast everywhere.

The DNS servers that hold the canonical records for a zone. Where the buck stops when a resolver needs an authoritative answer.

A DNS record that whitelists which Certificate Authorities can issue certs for your domain. A security control that prevents rogue cert issuance.

A DNS record that maps a hostname to another hostname. The standard way to delegate a custom domain to a SaaS edge.

How many seconds a DNS resolver caches a record before re-querying the authoritative server. Lower TTL means faster changes; higher TTL means less load and faster lookups.

Stored DNS answers held by resolvers (and the OS, and apps) to skip future lookups. The reason DNS scales; also the reason changes take time to propagate.

Clearing the locally-cached DNS answers so the next query goes back out to the network. Useful for debugging when 'I just changed DNS but I'm still seeing the old value'.

The process of converting a hostname like example.com into an IP address. The user-visible side of every web request.

DNS queries tunneled over HTTPS. Encrypts the DNS lookup so network operators can't see which domains you're resolving, and can't tamper with the answers.

DNS queries tunneled over TLS on port 853. Same goal as DoH (encrypt DNS) but uses a dedicated port instead of hiding inside HTTPS traffic.

The window of time during which a DNS change has been made at the authoritative server but not yet reached every recursive resolver. Usually minutes to hours.

The end-to-end process of turning a domain name into an IP, including caching and the chain from recursive resolver to authoritative server.

A DNS zone is a delegated chunk of the domain namespace. A zone file is the on-disk text representation of one. The fundamental unit of DNS administration.

DNS Security Extensions. A way to cryptographically sign DNS records so resolvers can verify they haven't been tampered with in transit.

Delegation Signer. A DNS record at the parent zone that confirms the child zone's DNSSEC key. The link that makes DNSSEC work across zone boundaries.

DNS that returns different IPs based on the geographic location of the querier. Used to route users to the closest region.

A DNS record that tells the world where to deliver email for a domain. Has a priority number; multiple MXs for failover.

A DNS record that lists the authoritative nameservers for a zone. Tells the rest of the internet where to ask about records in this zone.

The reverse-DNS record. Maps an IP address back to a hostname. Used by mail servers, logs, and security scanners.

The DNS server that walks the chain from root → TLD → authoritative on behalf of a client and returns the final answer. Caches results aggressively.

Looking up the hostname associated with an IP address, the inverse of normal DNS. Used heavily by mail servers and security tools.

The 'Start of Authority' DNS record at the zone apex. Holds metadata about the zone: primary NS, admin email, serial number, refresh timers.

A DNS record that maps a service name to a host and port. Used by SIP, XMPP, and modern service-discovery tools.

DNS that returns different answers depending on who's asking. Used to serve internal IPs to corporate users and public IPs to everyone else.

A DNS record that pins a TLS certificate to a hostname via DANE. Lets clients verify the cert via DNSSEC instead of the public CA system.

A DNS record that stores arbitrary text. Used for domain ownership verification, SPF email policies, DKIM signatures, and ACME certificate validation.

RFC 8555: the standard protocol for automating certificate issuance and renewal. The reason Let's Encrypt and other free CAs work without humans in the loop.

An organization that issues TLS certificates and whose root key is trusted by browsers and operating systems. The 'who signs your cert' in HTTPS.

The cert's Not After date has passed. Browsers refuse to load the page. The only fix is renewal — there's no client-side workaround that doesn't compromise security.

The end-to-end process of getting a fresh certificate onto your edge for a newly added domain. The bottleneck of scaling a custom-domain SaaS.

Re-issuing a TLS certificate before it expires. With Let's Encrypt (90-day certs), this is an unavoidable recurring task; at SaaS scale, it must be automated.

Public append-only logs of every TLS certificate issued by trusted CAs. Browsers refuse certs that aren't in CT logs. Lets you find every cert issued for your domain.

HTTP Strict Transport Security. A response header that tells browsers 'never load this domain over plain HTTP again'. Forces HTTPS-only.

Cloudflare-specific error: TLS handshake between Cloudflare and your origin server failed. Almost always a certificate or SNI problem at the origin.

Cloudflare error: TLS handshake to your origin succeeded but the origin's certificate isn't trusted. Means a self-signed or expired origin cert.

A free, automated, public Certificate Authority. The default issuer for most modern SaaS custom-domain setups.

Another name for a SAN certificate. A single cert valid for multiple hostnames listed in the Subject Alternative Name field.

Chrome error when the hostname you typed doesn't match any name on the server's certificate. The user's only fix is the site owner re-issuing the cert.

A TLS certificate that covers multiple hostnames in one file via the Subject Alternative Name extension. The standard way to cover several names per cert.

Server Name Indication. A TLS extension that lets the client tell the server which hostname it's connecting to, before the cert is presented. Required for hosting many TLS sites on one IP.

A digital file that binds a public key to a domain and is signed by a trusted Certificate Authority. The proof browsers use to trust HTTPS connections.

A generic error that means the TLS handshake between the client and your server didn't complete. Usually one of four root causes; mostly fixable.

The negotiation at the start of every HTTPS connection where client and server agree on a cipher, exchange keys, and verify the certificate.

A cert signed by its own private key, not by a trusted CA. Useful for testing; browsers reject it for production sites.

The proper name for what most people call an SSL certificate. SSL was deprecated in 2015; today's connections use TLS, but the 'SSL' name stuck.

The error that fires when a browser and server can't agree on how to set up a TLS connection. Usually means cert, protocol, or cipher mismatch.

The point in your infrastructure where the TLS handshake completes and the data is decrypted. Usually at the edge or load balancer, not the app servers.

A cert valid for *.example.com — covering any single-label subdomain. Useful for tenant subdomains; not useful for unrelated customer domains.

The standard format for public-key certificates. Every TLS certificate, every PKI artifact you've ever encountered, is X.509.

Mutual TLS. Both client and server present a certificate during the handshake. Used for machine-to-machine auth without API keys.

Managing DNS records in a Git repo and applying them via CI/CD. Treats DNS like Terraform-managed infra instead of clicky-clicky panel state.

DNS-01 proves domain control by publishing a TXT record. The only ACME challenge that works for wildcard certs and on hosts not reachable on port 80.

A reusable set of DNS records you apply to many domains. Cuts the per-customer DNS setup from a 10-record checklist to a single apply.

The step in custom-domain onboarding where a SaaS confirms the customer actually owns or controls the domain by checking a record only they could have set.

An open standard that lets SaaS apps configure DNS at the customer's DNS provider with a single click, no copy-paste of records required.

A JSON document hosted by a SaaS app that lists DNS records to apply at the customer's DNS provider. The contract for a Domain Connect integration.

HTTP-01 proves domain control by serving a file at a special URL on port 80. Simplest ACME challenge but breaks on firewalled or wildcard hostnames.

ARC lets intermediaries (mailing lists, forwarders) preserve authentication signals so DMARC doesn't break when mail is relayed.

BIMI displays your brand logo next to authenticated emails in supported inboxes. Requires DMARC enforcement plus a Verified Mark Certificate.

A cryptographic signature on outgoing email headers, verified against a public key in DNS. Proves the email actually came from someone authorized at the claimed sender domain.

A DKIM selector lets one domain publish many DKIM keys at once. Each selector is a subdomain that holds a separate public key.

A policy a domain publishes saying what receivers should do with mail that fails SPF and DKIM. The top layer of the email-authentication stack.

DMARC alignment is the rule that SPF or DKIM has to validate against a domain that matches the From: header. Without alignment, spoofers slip through.

The DMARC policy tag tells receivers what to do with failing mail: do nothing, quarantine to spam, or reject outright. Most domains never make it past 'none'.

DMARC's `rua=` collects aggregate XML reports; `ruf=` collects per-message forensic reports. You need rua to see what's going on; ruf is mostly dead.

MTA-STS forces sending mail servers to use TLS when delivering to your domain. Closes the downgrade-attack hole in SMTP.

A TXT record that lists which servers are allowed to send email from your domain. The first of the three email-authentication standards (SPF, DKIM, DMARC).

SPF flattening replaces include: references with raw IPs to dodge SPF's 10-DNS-lookup limit. Necessary evil for big senders; comes with maintenance debt.

TLS-RPT collects daily reports of TLS delivery failures on your inbound mail. The visibility layer for MTA-STS deployments.

After a domain expires, there's a ~30-day grace period where you can still renew at normal price. Miss that and you're in the $100-redemption window.

An ICANN-accredited company that sells domain names to the public. The middleman between you and the registry that operates a TLD.

Moving a domain from one registrar to another. Takes 5-7 days, requires unlocking the domain, getting an auth code, and approving the transfer.

The EPP auth code is the password that lets you transfer a domain between registrars. Always rotates after a transfer for security.

ICANN is the nonprofit that coordinates the global DNS root, accredits registrars, and decides what new TLDs get created.

RDAP is the modern, REST/JSON replacement for WHOIS. Same domain registration data, parseable format, with auth and rate limits built in.

A status flag at the registry that blocks transfers, deletions, and certain changes. The first line of defense against domain hijacking.

TLD is the umbrella term. gTLDs are generic (.com, .app, .shop), ccTLDs are country-coded (.uk, .de, .fr). Different rules and registrars apply.

WHOIS is the legacy protocol for looking up who registered a domain. Mostly redacted now thanks to GDPR. RDAP is the modern replacement.

A globally distributed cache that serves static (and sometimes dynamic) content from edge locations close to users. Reduces origin load and request latency.

Auto-switching DNS to a backup origin when the primary fails health checks. Cheap multi-region failover, but DNS TTLs cap how fast it can be.

Distributing traffic across multiple servers by returning different IPs in DNS responses. Cheap, but TTL caching makes it imprecise.

Distributed servers close to users that terminate TLS, run cache, and sometimes execute code. The serving layer in front of your origin.

DNS routing that sends users to the nearest origin region by measured latency, not geography. The standard pattern for multi-region apps.

Attacker takes control of a domain's DNS to redirect traffic. Happens via stolen registrar credentials, BGP attacks, or compromised DNS hosts.

Injecting forged DNS responses into a resolver's cache so it returns the wrong IP for a domain. Mitigated by DNSSEC and source-port randomization.

A DNS record pointing at a target that's no longer under your control. The exact precondition for subdomain takeover.

How email providers, browsers, and search engines score a domain's trustworthiness. Affects deliverability, ranking, and whether warnings show in browsers.

Forging the From: address on email to impersonate a domain. The exact attack DMARC was designed to stop, when DMARC is actually enforced.

A vulnerability where a domain still points at a service that no longer owns the hostname, letting an attacker claim it. Custom-domain SaaS prevents this with re-verification.

Registering domains that are misspellings of legitimate brands (gooogle.com, paypa1.com) to trick users. Defended via defensive registration and UDRP.