Verify Your Email Domain for SSO
Before your team can log in with Single Sign-On just by typing their work email, CubePath needs to confirm that your organization really owns that email domain. You prove it by adding a TXT record to your domain's DNS and opening a support ticket so our team can check it and switch on SSO login for your domain.
This step protects everyone. It stops anyone from pointing another company's email domain at their own identity provider and intercepting their logins.
You should already have your SSO settings filled in under Organization → SSO. If you haven't, set that up first, then come back here to verify the domain.
What you'll need
- Access to your domain's DNS settings, wherever you manage records (your registrar, Cloudflare, Route 53, etc.).
- The email domain you want to use for SSO, for example
yourcompany.com.
Step 1: Add the verification TXT record
In your DNS provider, create a new TXT record:
| Field | Value |
|---|---|
| Type | TXT |
| Name / Host | _cubepath-verification |
| Value | cubepath-sso-verification |
| TTL | Default (for example 3600) |
So if your domain is yourcompany.com, you'd add a TXT record at _cubepath-verification.yourcompany.com with the value cubepath-sso-verification.
A few tips:
- Many DNS panels add your domain automatically, so enter just
_cubepath-verificationas the host, not the full_cubepath-verification.yourcompany.com. - DNS changes can take a few minutes to a few hours to take effect.
Step 2: Open a support ticket
From your dashboard, open a support ticket requesting domain verification, and include the email domain you want to verify (for example yourcompany.com).
Step 3: We verify and enable it
Our team checks that the TXT record is in place on your domain, then sets it as your organization's verified domain. Because the ticket comes from your account, this ties the domain to your organization. Once it's done, your domain shows as verified on the Organization → SSO page, and your team can log in just by entering their work email.
After verification you can remove the TXT record if you want, since it's only needed for the one-time check. Leaving it in place does no harm.
Troubleshooting
| Problem | What to check |
|---|---|
| Record not found | Confirm the host is exactly _cubepath-verification and that you didn't type the domain twice. Give DNS time to propagate before reporting it. |
| Value mismatch | The value must be exactly cubepath-sso-verification. |
| Domain already verified elsewhere | A domain can only be verified for one organization at a time. If it's tied to another account, mention it in your ticket so we can help. |