Email Domain Verification is a paid feature. If you’re using Infisical Cloud,
then it is available under the Pro Tier. If you’re self-hosting Infisical,
then you should contact sales@infisical.com to purchase an enterprise license
to use it.
Overview
Email Domain Verification allows organizations to prove ownership of their email domains (e.g.,company.com) through DNS verification. Once verified, the domain is exclusively linked to your organization, enabling:
- Secure SSO login — Users can log in via SAML, OIDC, or LDAP using just their work email. Infisical automatically routes them to the correct organization’s identity provider.
- SCIM provisioning — SCIM user provisioning requires a verified email domain to ensure only authorized organizations can manage users.
- Simplified login experience — Users enter their work email to login in via SSO.
How It Works
Email domain verification uses DNS TXT records to prove ownership. The flow is:- Add a domain — Enter the domain you want to verify (e.g.,
company.com). - Get a verification code — Infisical generates a unique verification code and DNS record name.
- Add a DNS TXT record — Add the verification record to your domain’s DNS configuration.
- Verify — Infisical checks the DNS TXT record and marks the domain as verified.
DNS Record Format
| Field | Value |
|---|---|
| Record Type | TXT |
| Record Name | _infisical-verification.yourdomain.com |
| Record Value | infisical-domain-verification=<verification-code> |
Some DNS providers automatically append your domain to the record name. In
that case, enter only
_infisical-verification as the host/name.Setting Up Email Domain Verification
Navigate to Email Domain Settings
Go to Organization Settings → SSO → scroll down to the Email Domains section.
Add an Email Domain
Click Add domain and enter the domain you want to verify (e.g., 
Click Add Domain to create the verification request.
company.com).Click Add Domain to create the verification request.Copy DNS Verification Details
After adding the domain, click the eye icon (View details & Verify) on the pending domain row.A modal will show you the DNS TXT record details:
- Record Name — The DNS hostname to add the TXT record to.
- Record Value — The verification string to use as the TXT record value.
Add the DNS TXT Record
Go to your domain’s DNS management panel (e.g., Cloudflare, Route 53, GoDaddy) and add a new TXT record with the copied values.
| Setting | Value |
|---|---|
| Type | TXT |
| Name/Host | _infisical-verification (or _infisical-verification.yourdomain.com) |
| Value/Content | infisical-domain-verification=<your-code> |
| TTL | Auto or 3600 |
DNS changes can take up to 48 hours to propagate, though most providers update within minutes.
Verify the Domain
Return to the Infisical Email Domains section and click View details & Verify on the pending domain.Click the Verify Domain button. Infisical will perform a DNS TXT lookup to confirm the record exists and matches.Once verified, the domain status changes to Verified and it’s exclusively linked to your organization.
SSO Login with Email Domain
Once your domain is verified, users can log in via SSO by entering their work email instead of an organization slug.Enter Work Email
Enter your full work email (e.g.,
you@company.com). Infisical extracts the domain and looks up the verified domain to find your organization’s SSO configuration.Domain Hierarchy
Email domains are verified at the exact domain level:- Verifying
company.comcovers onlyuser@company.com— notuser@sub.company.com. - Each subdomain must be verified separately if you want SSO to work for subdomain email addresses.
- You can verify both a parent domain and its subdomains independently.
Platform-Level Uniqueness
Each domain can only be verified by one organization across the entire Infisical instance:- If Organization A verifies
company.com, Organization B cannot verify or claim the same domain. - This prevents cross-organization user provisioning attacks where a malicious org could claim users by email domain.
SCIM Integration
When SCIM provisioning is enabled, email domain verification is required:- SCIM
POST /Usersrequests are validated against the organization’s verified domains. - If the user’s email domain is not verified by the SCIM token’s organization, the request is rejected.
- SCIM
PATCHandPUToperations that change a user’s email are blocked — email is treated as an immutable identifier.
FAQ
What happens if DNS verification fails?
What happens if DNS verification fails?
If the DNS TXT record is not found or doesn’t match, verification will fail with an error message.
Common causes include DNS propagation delays (wait and retry), incorrect record name (some providers
auto-append the domain), or extra whitespace/quotes in the record value.
Can I verify a domain that's already verified by another organization?
Can I verify a domain that's already verified by another organization?
No. Each domain is platform-unique. If another organization has already
verified a domain, you’ll receive an error when trying to add it. Contact your
Infisical administrator to resolve domain ownership conflicts.
What happens if I delete a verified domain?
What happens if I delete a verified domain?
Deleting a verified domain removes the domain claim from your organization.
SSO login via that domain will stop working, and SCIM provisioning for users
with that domain will be blocked. Another organization could then verify and
claim the domain.
Do I need to verify domains for email/password login?
Do I need to verify domains for email/password login?
No. Email domain verification is required only for SSO (SAML, OIDC, LDAP) and
SCIM provisioning flows. Email/password login is not affected.
Does verifying a parent domain cover all subdomains?
Does verifying a parent domain cover all subdomains?
No. Each subdomain must be verified independently. Verifying
company.com
does not automatically cover app.company.com or dev.company.com.