DomainAttest
v1 · stable · open specification

Proving you own a domain should take one second.

DomainAttest is an open protocol that lets any registrar issue a signed, short-lived attestation that an account controls a domain — and lets any marketplace verify it instantly. No TXT records. No propagation. No stale verifications.

Read the specification Why it exists
 Seller                Marketplace              Registrar
   │                       │                        │
   │  list domain          │                        │
   ├──────────────────────>│                        │
   │                       │  redirect (OAuth)      │
   │<──────────────────────┤                        │
   │                                                │
   │  log in with existing account + 2FA, approve   │
   ├───────────────────────────────────────────────>│
   │                       │                        │
   │                       │   signed ownership     │
   │                       │      attestation       │
   │                       │<───────────────────────┤
   │                       │                        │
   │                  verify signature,             │
   │                  listing goes live             │

ES256-signed · expires in minutes · valid for one marketplace only

How it works

A profile of the OAuth 2.0 authorization code flow with PKCE. No new cryptography, no new identity system, no bearer secrets to phish.

  1. A seller chooses “Verify with your registrar” on a marketplace.
  2. The marketplace redirects to the registrar with a request naming the domain and the marketplace.
  3. The seller signs in to the registrar the way they always do, including any 2FA on the account.
  4. The registrar confirms the account controls the domain and returns a signed attestation: this account controls this domain, now, for this marketplace.
  5. The marketplace validates the signature against the registrar’s published keys and publishes the listing. Under five seconds, end to end.

Design principles

DNS verification vs DomainAttest

DNS verificationDomainAttest
TimeMinutes to daysSeconds
Seller effortManual record editsOne click
ProvesDNS control, onceRegistrar-of-record ownership, now
FreshnessStale foreverRenewable on demand
Failure modeMistyped records, propagationStandard OAuth errors
Fraud surfacePasses with hijacked DNSRequires registrar signature
Infrastructure per marketplaceCustom polling systemsSignature validation
StandardEvery marketplace rebuilds itOne open protocol

Implement it

Registrars

Expose one authorization endpoint and one token endpoint over your existing login, and publish a JWKS. Typical effort with a modern auth stack: two to four engineering weeks.

Implementation checklist →

Marketplaces

Validate registrar-signed attestations per the spec, or integrate the DomainAttest Hub once and gain coverage of every connected registrar, current and future.

Protocol flow →

Live implementations

Atom operates the reference implementation (registrar + marketplace) and the DomainAttest Hub. Add yours by pull request.

IMPLEMENTATIONS.md →

Questions people ask

Why not just keep using DNS?
DNS verification proves control of a zone file at one moment in the past. It is slow, error-prone, passes under hijacked DNS, and goes stale silently. The registrar’s own records are the source of truth; DNS was only ever a proxy for them.
Is this a new identity system?
No. It is a profile of OAuth 2.0 with signed tokens, the same pattern behind “sign in with Google,” applied to a question registrars can already answer.
What if a seller’s registrar does not support it?
DNS verification still works as a fallback. DomainAttest adds a fast path; it does not remove the old one. Coverage grows registrar by registrar.

One layer, not the whole stack

DomainAttest does not replace marketplace differentiation. It standardizes exactly one commodity layer: proving who owns a domain. Marketplaces still compete on discovery, pricing, negotiation, escrow, and experience — they simply stop rebuilding the same verification system, badly, over and over.

The registrar already knows who owns the domain. Now there is a protocol that lets them say so.