Domain verification
How Brektra proves you own the targets you scan. DNS TXT records, edge cases, troubleshooting.
Brektra refuses to scan any host you have not proven you control. This keeps us out of the third-party-attack business and keeps you out of court.
How verification works
When you add a target, Brektra generates a unique TXT record. You add that record to the domain's DNS at the apex (or any subdomain you want verified). The verifier polls every 10 seconds while you wait, and the target flips to verified the moment the record propagates.
Verification persists. Brektra re-checks the record at the start of every scan; if it is missing, the scan refuses to launch. This protects you if a target is sold or transferred while a scheduled scan is queued.
Apex vs subdomain
Most teams verify the apex (example.com) because it implicitly covers
every subdomain. If you only want a specific subdomain scoped, verify
that subdomain alone (app.example.com).
Cloud-managed DNS
For Cloudflare, Route53, GCP DNS, or Azure DNS, add a TXT record under
the same hostname as the target. TTL 300 seconds is fine.
Common issues
Heads up. TXT record exists but verification fails: check that the record value matches exactly, including the
brektra-site-verification=prefix. Some DNS UIs auto-quote; the value should be a single string with no extra quotes.
- Propagation delay. TXT records can take up to a few minutes. We poll for 10 minutes before timing out; if you exceed that, click Re-check.
- DNSSEC. Validators do not interfere; if your provider mangles TXTs, switch to a different RR set or contact support@brektra.com.
- Wildcard domains. Add the TXT at the parent zone, not at the wildcard.
Aggressive Mode
Aggressive Mode requires a second confirmation step where you toggle the explicit Aggressive flag on the verified domain. This is the gate between Safe payloads and destructive ones.