This feature is available✔️ for:
Role: Subscription Owner
Plan: Enterprise
We recommend setting up a custom domain if you share data with partners with stricter security requirements. This makes it easier for your partners' IT administrators to grant access to the shared content and gives you an additional custom branding option.
Before you begin
Tresorit takes care of the TLS certificate, which will be issued by Let's Encrypt. If you use a CAA (DNS Certification Authority Authorization), you must add the following data in your DNS provider's CAA settings:
In case there are multiple fields:
- Flags: 0
- Tag: issue
- Value: letsencrypt.org
In case of a single data field:
- 0 issue "letsencrypt.org"
For example in Azure:
Creating the chosen domain
To enable a custom domain for links in Tresorit, you need to define three DNS records. The first record is the domain your users will see when creating links, file requests, eSign requests, or encrypted emails. It should follow this pattern: subdomain.example.com, where example.com is your domain you need to have access to, and subdomain is your preferred subdomain for sharing (e.g. tresorit, share, or datashare).
Using inappropriate, misleading, or copyright-protected words is not allowed here. Before we enable the domains, they undergo manual verification.
To use a custom domain in Tresorit, you also need to set up api-subdomain.example.com and usercontent-subdomain.example.com.
Additionally, CNAMEs need to be configured for each of these three records. Tresorit will provide these as part of the setup process. For more information about CNAME configuration, see this article.
📝 Note: HTTP Strict Transport Security (HSTS) is strongly recommended for the specified domains.
Verifying the custom domain and contacting our support team
You need to verify ownership of the domain you want to use in Tresorit. You can start the verification process in the Admin Center under the Settings tab. For detailed steps, see How to verify your email domain.
📝 Note: Verifying the record in DNS may take several hours. This depends on how quickly these changes can go live in the Domain Name System.
Once you successfully verified the domain ownership, you can delete the TXT record from your DNS provider's settings. Then, you need to contact us so we can initiate the setup of your chosen domain and provide you with the necessary CNAMEs.
After the complete setup, you will see the following icon next to your chosen domain:
Provide whitelist information for your external partners
The three new domains should be whitelisted by your external partners. We can provide the IP addresses as part of the setup process.
Link creation with enabled custom domain
The user who creates a link, file request or eSign request will see the defined subdomain in the URL instead of the default web.tresorit.com. The web portal of encrypted emails will also display your chosen subdomain.
Restrictions and limitations
-
The URLs of previously created links, file requests, eSign requests and encrypted emails won’t be migrated to the new format. These remain available under https://web.tresorit.com.
- If the data owner is not part of your subscription, your users won't be able to create links, file requests or eSign requests with a custom domain. These will be created under the default https://web.tresorit.com.
- If email verification is enabled for your shared links, file requests, eSign requests, or encrypted emails, both email verification and public SSO options (Google, Microsoft) are available. However, the recipient won’t be able to verify with their Tresorit account.
- The verified domain cannot be deleted after the custom domain is set up. You must contact our support team to disable it. Disabling the setup is not recommended as it will break the active shared links, file requests, eSign requests and encrypted emails.