I’m trying to understand how Shopify checks domain ownership when connecting external domains. When you go to Admin > Settings > Domains and add a custom domain, you need to create a CNAME record pointing to shops.myshopify.com on your DNS provider. Then you click the verify button in Shopify.
But here’s what I’m wondering - how does Shopify actually know that I’m the legitimate owner who created that CNAME record? What stops another Shopify store owner from trying to claim my domain? Is there some kind of unique verification token or does Shopify use a different method to prevent unauthorized domain connections?
I want to make sure I understand the security behind this process before setting up my custom domain.
The verification checks DNS propagation instead of using unique tokens. When you set up the CNAME record, Shopify does a DNS lookup to make sure your domain points to their servers. The security comes from the fact that only someone with admin access to your domain’s DNS can create or change these records. I did this last year and Shopify doesn’t just check once - they keep monitoring your DNS setup. If someone tried to steal your domain, they’d need access to your DNS panel at your registrar or host, which means they’d need your login info. Can’t create the CNAME record Shopify wants without that access. It’s pretty secure since whoever controls the DNS records owns the domain, not Shopify’s tokens.