Skip to main content
surfbot.

Domain Verification

Why verification is required and how to prove ownership of your domain.

Why We Require Verification

Surfbot performs active security scanning — port scans, vulnerability checks, and more. To ensure this is only done on infrastructure you own or are authorized to test, we require domain ownership verification before any scans can run.

This protects both you and us:

  • You get assurance that nobody else can scan your domains through our platform
  • We maintain responsible scanning practices and legal compliance

Two-Tier Verification

Surfbot uses a two-tier system to balance security with usability.

Tier 1: Business Email Auto-Verification

If you register with a business email address (e.g., [email protected]), Surfbot automatically verifies yourcompany.com as your domain. No DNS changes, no file uploads — instant access.

This only works with business email domains. Generic providers (Gmail, Hotmail, Yahoo, etc.) are excluded and require Tier 2 verification.

Tier 2: DNS or HTTP Verification

If you registered with a generic email, or want to add a domain that doesn't match your email, use one of these methods:

The DNS method is the most reliable and doesn't require any changes to your web server.

Step 1: From your dashboard, navigate to the domain and copy the verification token. It looks like:

surfbot-verify=sb_abc123def456

Step 2: Add a TXT record to your domain's DNS:

TypeHost/NameValue
TXT_surfbot-verifysurfbot-verify=sb_abc123def456

Step 3: Wait for DNS propagation (usually 1–5 minutes, can take up to 48 hours with some providers).

Step 4: Click Verify in the dashboard.

You can confirm the record is set correctly:

dig TXT _surfbot-verify.yourcompany.com

HTTP File Verification

If you can't modify DNS, you can verify by hosting a file on your web server.

Step 1: Create the verification file at:

https://yourcompany.com/.well-known/surfbot-verify.txt

Step 2: The file contents should be your verification token:

sb_abc123def456

Step 3: Ensure the file is accessible via HTTPS (HTTP redirects to HTTPS are fine).

Step 4: Click Verify in the dashboard.

Verification Status

  • Pending — Verification has not been attempted yet
  • Verified — Domain ownership confirmed, scanning is enabled
  • Failed — Verification attempt failed (check your DNS/file and retry)
  • Expired — Verification tokens expire after 30 days if not used

Re-verification

Once verified, your domain stays verified unless:

  • You remove the DNS TXT record (we periodically re-check)
  • Your account is inactive for 90+ days
  • You manually remove and re-add the domain

Wildcard Domains

Verifying yourcompany.com automatically covers all subdomains (*.yourcompany.com). You don't need to verify each subdomain individually.

Previous

How It Works

Next

Scanning Pipeline

On this page