About first-party domains

Learn about first-party domains and how to configure your own domains and SSL/TLS certificates for data collection and delivery solutions in the Tealium Customer Data Hub.

To use first-party domains, you must have access to update your DNS database entries. You will need to work with your Production Operations team or the person responsible for your domain registration and SSL/TLS certificates.

About first-party domains

By default, the services offered in the Tealium Customer Data Hub are hosted on Tealium domains. When domain names don’t match the domain of your brand’s website, they are considered third-party domains. For example, the JavaScript files for Tealium iQ Tag Management are served from the domain tags.tiqcdn.com and the data collection endpoint for Tealium EventStream API Hub uses the domain collect.tealiumiq.com.

As new privacy regulations come out and as browsers begin limiting third-party capabilities, you might want to use your own domain to ensure that Tealium services are treated as first-party. First-party domains benefit from improved tracking and better compliance with browser privacy and cookie settings. Currently, only one first-party domain can be configured for an account.

Contact the Tealium Support Desk to enable first-party domains for your account.

How it works

To use your own domain name for tags.tiqcdn.com, you must create a CNAME entry in your DNS database. A CNAME record is an alias that maps one domain name to another. For example, for the website www.example.com, you would create a CNAME for tags.example.com that points to Tealium’s CDN to serve the files for iQ Tag Management.

For collect.tealiumiq.com, you add A records to your DNS configuration. An A record maps a domain name to the IP address for the domain.

A critical part of this configuration is the management of the SSL/TLS certificates, which are the public key certificates that verify the encryption of your website over HTTPS. The Tealium first-party domain feature helps you manage which domains you want to use with Tealium services and validates the SSL/TLS certificates for those domains.

When using first-party domains, make sure you are using the latest version of the Tealium Collect tag.

Managed and imported certificates

You configure first-party domains by either importing your own certificates or by requesting certificates to be managed by Tealium. Imported certificates work the same as managed certificates, but with one important exception: imported certificates are not automatically renewed.

To use your own certificates, you must have access to the following SSL/TLS certificate files:

  • PEM-encoded certificate
  • PEM-encoded, unencrypted private key
  • PEM-encoded certificate chain

To request certificates managed by Tealium, you must have access to edit your DNS entries or have access to receive email messages sent to the domain administrator.

Limits on domains per certificate

The maximum number of domains per certificate is determined when you sign up for first-party domains. The first-party domains overview screen shows the maximum number of domains per certificate. In the following example, no domains have been mapped and the maximum number of domains is 10.

Platform permissions landing page

Validate domain ownership

Before Tealium can issue a certificate for your site, you must prove that you own or control all the domains in your request. You can prove ownership using either DNS validation or email validation.

We recommend DNS validation because it is usually a quicker process and because sometimes it can be difficult to track down who in your organization has access to the administrative emails. However, if you don’t have access to edit your domain’s DNS database, then you must use email validation.

DNS validation

To use the DNS validation method, you must have access to edit your DNS configuration.

After you enter your domains, you are provided with validation CNAME records for each domain requested, which you must add to your DNS configuration.

After the DNS update for the validation CNAME records propagates (which may take several hours), the ownership is confirmed and permanent DNS records (CNAME records for tags.tiqcdn.com or A records for collect.tealiumiq.com) are provided in the DNS Confirmation screen. You must then add the permanent records to your DNS configuration.

Your DNS configuration must include the validation records and the permanent records. The validation records are used when you add domains to a certificate and for auto-renewal of the certificate.

Email validation

To use email validation, you must be able to receive email messages at one of the contact addresses listed in the WHOIS database for each of your requested domains. The email addresses that will receive a message include:

  • administrator@your_domain
  • hostmaster@your_domain
  • hostmaster@your_domain
  • postmaster@your_domain
  • webmaster@your_domain
  • admin@your_domain

You will receive an email message (one for each domain) from Amazon Web Services containing a validation token that expires in 72 hours. If you do not receive the email or the token has expired, return to the main screen and click Resend Email.

Data collection domains

Use first-party domains with Tealium EventStream API Hub and Tealium AudienceStream CDP for first-party data collection.

The following data collection services and domains can be mapped to your first-party domain:

Tealium Service Third-Party Domain First-Party Example
Tealium Collect collect.tealiumiq.com collect.example.com

To use first-party domains with other services, such as the View-Through Extension, contact the Tealium Support Desk.

Tag management delivery domains

Use first-party domains with Tealium iQ Tag Management to maintain core functionality as browsers adopt stricter privacy policies such as ITP and ad blockers.

The following tag management services and domains can be mapped to your first-party domain:

Tealium Service Third-Party Domain First-Party Example
iQ Tag Management Files
(utag.js, utag.sync.js, utag.#.js)
tags.tiqcdn.com tags.example.com

Was this page helpful?

This page was last updated: January 24, 2023