{"slug":"domain-ownership","title":"Domain ownership","tags":["tailscale"],"agent_summary":"Last validated: Aug 22, 2025","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Domain ownership\r\n\r\nLast validated: Aug 22, 2025\r\n\r\nWhen you create your Tailscale network, also known as a tailnet, your user domain becomes part of\r\nyour [Tailscale identity](https://tailscale.com/docs/concepts/tailscale-identity).\r\n\r\n**The guidance in this topic also applies for Tailscale accounts based on GitHub organizations, GitHub personal accounts, and for single-user tailnets based on email/user identity.**\r\n\r\nEnsure that you maintain control of your domain, to prevent malicious takeover\r\nof your tailnet.\r\n\r\n## [How your domain is used](https://tailscale.com/docs/concepts/domain-ownership\\#how-your-domain-is-used)\r\n\r\nTailscale requires you to show ownership and control of a user's domain when signing up with a [custom OIDC identity provider](https://tailscale.com/docs/integrations/identity/custom-oidc), or when requesting help from our support team for certain issues. Depending on your request, we will ask you to do one of the following actions:\r\n\r\n- Set DNS TXT records.\r\n- Respond to a confirmation email sent to a `*@example.com` email address. For example, an email sent\r\nfrom Tailscale support to the owner admin of a tailnet when another user of the tailnet is\r\nrequesting some action in the tailnet.\r\n- Set up a WebFinger endpoint.\r\n\r\nFor verification of [GitHub organization](https://docs.github.com/en/get-started/learning-about-github/types-of-github-accounts#organization-accounts), the owner of the tailnet must also be an admin of the GitHub organization.\r\n\r\nOnce your tailnet is created, your domain is always associated with the tailnet, and\r\nyou need to maintain control over and use of your domain for the lifetime of your\r\ntailnet.\r\n\r\n## [Mitigating tailnet risk from a malicious takeover](https://tailscale.com/docs/concepts/domain-ownership\\#mitigating-tailnet-risk-from-a-malicious-takeover)\r\n\r\nTo help mitigate the impact of a malicious actor gaining control of your domain, there are several\r\nsettings you can use with your tailnet:\r\n\r\n- Enable [device approval](https://tailscale.com/docs/features/access-control/device-management/device-approval) so that an admin can review and approve new devices before they can join the tailnet.\r\n- Enable [user approval](https://tailscale.com/docs/features/access-control/user-approval) so that an admin can review and approve new users before they can join the tailnet.\r\n- Use [Tailnet Lock](https://tailscale.com/docs/features/tailnet-lock) to verify that no device is added to your tailnet without being signed by a trusted device already in your tailnet.\r\n\r\nFor general guidance on securing your tailnet, refer to\r\n[Best practices to secure your tailnet](https://tailscale.com/docs/reference/best-practices/security).\r\n\r\n## [If you no longer use your domain](https://tailscale.com/docs/concepts/domain-ownership\\#if-you-no-longer-use-your-domain)\r\n\r\nIf you need to change domain names or relinquish an old name and move to a new name,\r\n[contact support](https://tailscale.com/contact/support?type=domainchange) so we can rename the tailnet for you.\r\n\r\nIf you delete your domain, your tailnet is not automatically deleted. If you want to delete your tailnet, you need to explicitly [delete your tailnet](https://tailscale.com/docs/account/delete-tailnet).\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Domain ownership</h1>\n<p>Last validated: Aug 22, 2025</p>\n<p>When you create your Tailscale network, also known as a tailnet, your user domain becomes part of\r\nyour <a href=\"https://tailscale.com/docs/concepts/tailscale-identity\">Tailscale identity</a>.</p>\n<p><strong>The guidance in this topic also applies for Tailscale accounts based on GitHub organizations, GitHub personal accounts, and for single-user tailnets based on email/user identity.</strong></p>\n<p>Ensure that you maintain control of your domain, to prevent malicious takeover\r\nof your tailnet.</p>\n<h2><a href=\"https://tailscale.com/docs/concepts/domain-ownership#how-your-domain-is-used\">How your domain is used</a></h2>\n<p>Tailscale requires you to show ownership and control of a user's domain when signing up with a <a href=\"https://tailscale.com/docs/integrations/identity/custom-oidc\">custom OIDC identity provider</a>, or when requesting help from our support team for certain issues. Depending on your request, we will ask you to do one of the following actions:</p>\n<ul>\n<li>Set DNS TXT records.</li>\n<li>Respond to a confirmation email sent to a <code>*@example.com</code> email address. For example, an email sent\r\nfrom Tailscale support to the owner admin of a tailnet when another user of the tailnet is\r\nrequesting some action in the tailnet.</li>\n<li>Set up a WebFinger endpoint.</li>\n</ul>\n<p>For verification of <a href=\"https://docs.github.com/en/get-started/learning-about-github/types-of-github-accounts#organization-accounts\">GitHub organization</a>, the owner of the tailnet must also be an admin of the GitHub organization.</p>\n<p>Once your tailnet is created, your domain is always associated with the tailnet, and\r\nyou need to maintain control over and use of your domain for the lifetime of your\r\ntailnet.</p>\n<h2><a href=\"https://tailscale.com/docs/concepts/domain-ownership#mitigating-tailnet-risk-from-a-malicious-takeover\">Mitigating tailnet risk from a malicious takeover</a></h2>\n<p>To help mitigate the impact of a malicious actor gaining control of your domain, there are several\r\nsettings you can use with your tailnet:</p>\n<ul>\n<li>Enable <a href=\"https://tailscale.com/docs/features/access-control/device-management/device-approval\">device approval</a> so that an admin can review and approve new devices before they can join the tailnet.</li>\n<li>Enable <a href=\"https://tailscale.com/docs/features/access-control/user-approval\">user approval</a> so that an admin can review and approve new users before they can join the tailnet.</li>\n<li>Use <a href=\"https://tailscale.com/docs/features/tailnet-lock\">Tailnet Lock</a> to verify that no device is added to your tailnet without being signed by a trusted device already in your tailnet.</li>\n</ul>\n<p>For general guidance on securing your tailnet, refer to\r\n<a href=\"https://tailscale.com/docs/reference/best-practices/security\">Best practices to secure your tailnet</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/concepts/domain-ownership#if-you-no-longer-use-your-domain\">If you no longer use your domain</a></h2>\n<p>If you need to change domain names or relinquish an old name and move to a new name,\r\n<a href=\"https://tailscale.com/contact/support?type=domainchange\">contact support</a> so we can rename the tailnet for you.</p>\n<p>If you delete your domain, your tailnet is not automatically deleted. If you want to delete your tailnet, you need to explicitly <a href=\"https://tailscale.com/docs/account/delete-tailnet\">delete your tailnet</a>.</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}