Is domain verification required?

Question

Is domain verification required?

petrbela opened this issue 4 years ago · 1 comments

In the client registration step, it says

Verify your REDIRECT_URI domain by uploading /.well-known/apple-developer-domain-association.txt to your server

I think that is only relevant for setting up Associated Domains to support either Universal Links or Shared Web Credentials. While it certainly won't do no harm, I don't think it's required for any use case of this library (correct me if I'm wrong), and thus can be removed from the wiki?

Answer 1 · 2020-08-08T19:48:39.000Z

I just noticed the domain verification is required for sending email through the relay. However, it seems the alternative verification through DNS might be easier, as the .well-known file has to be hosted on the naked domain, as explained in this article:

The only method that Apple provides for verifying domain ownership is to upload a unique file to a specific /.well-known/ URL hosted on your domain. That in itself isn't a problem, as this is a pretty standard approach to domain verification. The problem is that this site verification is needed for email whitelisting, and so it must be at the domain level (e.g. bscotch.net instead of www.bscotch.net).

To create an understandable user experience and prevent splitting SEO on your site, it is best practice to always use either your naked domain or the primary www (or whatever) subdomain for all of your URLs. Because naked domains aren't even real URLs (according to specs), best practice (or common practice, anyway) is to redirect subdomain-free requests to your www subdomain. Even Apple does this for apple.com, which redirects to www.apple.com.

And thus, the rub: you must verify a naked domain but Apple does not allow you to do so with a redirect (e.g. 301, 302, etc) to a non-naked one. In other words, you cannot verify your domain unless you host your site on your naked domain. It is likely that in any complex hosting case you cannot easily make this change without breaking a lot of things, and even if you can it's a bad move for SEO unless you can specifically only skip the redirect for this one URL.

Given that Apple needs us to verify domain ownership (not subdomain ownership) in order to properly whitelist email addresses, the appropriate way to do this is not to use the hosted-file approach (though that could be an option for sites using naked domains, or if Apple allowed redirects) but to instead use the standard approach of asking for a specific CNAME DNS record to be created.