This feature is available ✔️ for:
Role: Subscription Owner
Plan: Enterprise
If you're sharing data with partners that have stricter security requirements, we suggest setting up a custom domain. This makes it easier for IT administrators of your partners to allow access to the shared content, and it also provides you with an additional custom branding option.
How to set up a custom domain
Before you begin
Tresorit will handle the TLS certificate, which will be issued by Let's Encrypt. If you are using a CAA (DNS Certification Authority Authorization), you must add the following data in your DNS provider's CAA settings:
In case there are multiple fields:
- Flags: 0
- Tag: issue
- Value: letsencrypt.org
In case of a single data field:
- 0 issue "letsencrypt.org”
For example in Azure:
Creating the chosen domain
To enable a custom domain for links in Tresorit, you must define three DNS records. The first record is the domain that your users will see when they create shared links, file requests, eSign requests or encrypted emails. It should follow this pattern: subdomain.example.com. Here, "example.com" is your domain, to which you need to have access, and "subdomain" is your preferred subdomain for sharing, such as 'tresorit', 'share', or 'sharing'.
It's not permitted to use any inappropriate, misleading, or copyright-protected words here. Before we enable the domains, they undergo manual verification.
To use a custom domain in Tresorit, you also need to set up "api-subdomain.example.com" and "usercontent-subdomain.example.com".
Additionally, CNAMEs must be configured for each of these three records. Tresorit will provide these as part of the setup process. To find more information about CNAME configuration, we recommend to visit this article.
📝 Note: HTTP Strict Transport Security (HSTS) is strongly recommended for the given domains.
Verifying the custom domain and contacting our Support Team
You need to verify the ownership of the domain which you intend to use in Tresorit. You can start the verification process in the Admin Center under the Settings tab.
For the detailed steps, visit: How to verify your email domain
📝 Note: It might take several hours to check the record in the DNS, it depends on how fast these changes can go live in the Domain Name System.
Once you successfully verified the domain ownership, you can delete the TXT record from your DNS provider's settings. After this you need to contact us, so we can initiate the setup of your chosen domain and provide you with the necessary CNAMEs.
After a complete setup the you will see the following badge next to your chosen domain.
Provide allowlist information for your external partners
The three new domains should be allowlisted by your external partner. We can provide the IP addresses as part of the setup process.
Link creation with enabled custom domain
The user who creates a shared link, a file request or an eSign request will see the defined subdomain in the URL instead of the default web.tresorit.com. The web portal of the encrypted emails will also display your chosen subdomain.
Restrictions and limitations
-
The URLs of the previously created shared links, file requests, eSign requests and encrypted emails won’t be migrated to the new format.
-
The created shared links, file request, eSign requests and encrypted emails still will be available under https://web.tresorit.com as well.
-
If the owner of the data does not belong to your subscription your users won’t be able to create shared links, file requests or eSign requests with a custom domain. These will be created under the default https://web.tresorit.com/ domain.
-
In case email verification is activated for your shared link, file request, eSign request or encrypted email both the verification via email option and the public SSO (Google, Microsoft) options will be available, but the recipient won’t be able to verify themself with their Tresorit account.
-
The verified domain cannot be deleted after the custom domain setup. You need to contact our support team to disable it first. Disabling the setup is not recommended, because the active shared links, file requests, eSign requests and encrypted emails will be broken.