Domain Verification

Before Fence can scan your domains, you must verify ownership. This prevents unauthorized scanning and abuse.

Why Domain Verification?

Domain verification ensures:
- Security - Only authorized users can scan domains they own
- Compliance - Prevents unauthorized security testing (CFAA compliance)
- Trust - Protects against abuse and malicious scanning

Verification Methods

Fence offers two verification methods. Choose the one that works best for your workflow.

Best for: DevOps teams, automated workflows, permanent verification

How it works:
1. Add a TXT record to your domain's DNS settings
2. Fence queries DNS to verify the record exists
3. Once verified, the record can remain indefinitely

Steps:

  1. Log in to your DNS provider (Cloudflare, Route53, Google Domains, etc.)

  2. Add a new TXT record:

  3. Type: TXT
  4. Name: _fence-verify or _fence-verify.yourdomain.com
  5. Value: Your unique verification token (shown in Fence dashboard)

  6. TTL: 3600 (1 hour) or Auto

  7. Save the DNS record

  8. Wait 5-15 minutes for DNS propagation

  9. Return to Fence and click Verify Domain

Example DNS Record:

Type: TXT
Name: _fence-verify.example.com
Value: fence-verify-abc123def456
TTL: 3600

Verification Command (optional - test DNS propagation):

dig TXT _fence-verify.example.com

# Or with specific nameserver
dig @8.8.8.8 TXT _fence-verify.example.com

Method 2: HTML Meta Tag (Easier)

Best for: Quick verification, websites with easy HTML access, testing

How it works:
1. Add a meta tag to your website's HTML <head> section
2. Fence fetches your homepage and checks for the meta tag
3. Tag must remain in place for ongoing verification

Steps:

  1. Copy your verification token from the Fence dashboard

  2. Add this meta tag to your website's <head> section:
    html <meta name="fence-verify" content="YOUR_VERIFICATION_TOKEN">

  3. Deploy your changes to production

  4. Return to Fence and click Verify Domain

Example HTML:

<!DOCTYPE html>
<html>
<head>
    <meta charset="UTF-8">
    <meta name="fence-verify" content="fence-verify-abc123def456">
    <title>My Website</title>
    <!-- Rest of your head section -->
</head>
<body>
    <!-- Your content -->
</body>
</html>

Verification Check (optional - test with curl):

curl -s https://example.com | grep fence-verify

Comparison

Feature DNS TXT Record HTML Meta Tag
Setup Time 5-15 minutes (DNS propagation) Immediate (after deployment)
Technical Level Moderate Easy
Permanence Permanent (set and forget) Requires HTML access
Subdomains Supports wildcard verification Requires tag on each subdomain
Best For DevOps teams, production sites Quick testing, simple sites

Troubleshooting

DNS Verification Fails

Problem: "DNS record not found" error after 15 minutes

Solutions:
1. Check DNS propagation: Use dnschecker.org to verify global propagation
2. Verify record format: Ensure TXT record name is _fence-verify.yourdomain.com (NOT just _fence-verify)
3. Check TTL: Some DNS providers cache aggressively. Try reducing TTL to 300 seconds
4. Nameserver check: Verify DNS changes with dig @8.8.8.8 TXT _fence-verify.example.com
5. CNAME conflicts: Remove any CNAME records on the same name (CNAMEs block TXT records)

HTML Meta Tag Verification Fails

Problem: "Meta tag not found" error

Solutions:
1. View source: Visit your website and view page source (Ctrl+U). Search for "fence-verify"
2. Deployment check: Ensure changes were deployed to production (not just staging)
3. CDN cache: If using Cloudflare/CDN, purge cache and wait 5 minutes
4. Redirect check: Ensure domain redirects to HTTPS are working (Fence fetches via HTTPS)
5. JavaScript rendering: Meta tag must be in static HTML, not added by JavaScript

Re-Verification

Domains are automatically re-verified:
- Every 30 days for active domains
- Before each scan if verification is older than 30 days
- On demand when you click "Re-verify"

If verification fails:
- Scans are paused until re-verified
- You'll receive email notifications
- Domain status shows "Verification Required"

Removing Verification

When you delete a domain from Fence:
- You can remove the DNS TXT record or meta tag
- Fence will no longer scan the domain
- Historical scan data is retained for compliance

Multiple Subdomains

Option 1: Verify each subdomain individually
- Add TXT record for each: _fence-verify.api.example.com, _fence-verify.app.example.com
- Or add meta tag to each subdomain's HTML

Option 2: Wildcard DNS verification (Enterprise/Custom tiers)
- Add single TXT record: _fence-verify.example.com
- Verifies all subdomains: api.example.com, app.example.com, etc.

Security Notes

  • Token security: Verification tokens are public (visible in DNS/HTML). They only prove domain ownership, not authentication.
  • Token rotation: Tokens never expire unless you manually regenerate them
  • Shared hosting: If using shared hosting, ensure only authorized users can modify DNS/HTML

FAQs

Q: Can I use the same verification token for multiple domains?
A: No, each domain gets a unique token. This prevents accidental cross-domain verification.

Q: What happens if I remove the verification record?
A: Fence will fail re-verification and pause scans until you restore the record.

Q: Can I verify a domain I don't own?
A: No. You must have DNS control or HTML deployment access to verify ownership.

Q: Do I need to verify subdomains separately?
A: Yes, unless you have Enterprise/Custom tier with wildcard verification.

Q: How long does verification take?
A: DNS verification: 5-15 minutes (DNS propagation). Meta tag: Immediate after deployment.

Next Steps

Once verified:
- Run your first scan
- Set up notifications
- Configure alert rules

Was this page helpful?

Let us know if you have any questions or suggestions.

Send Feedback