First-Party CNAME Setup in 5 Minutes: A Walkthrough

A first-party CNAME tracking domain is the single highest-leverage DNS change a DTC brand can make. One CNAME record bypasses Safari ITP cookie expiration, dodges ad-blocker filterlists, and lifts pixel match rates by 10–15 percentage points — combined with server-side conversions, it recovers most of the signal that browser-side pixels lose to ATT, ITP, and blockers.

This is the walkthrough. We will go from "I have never touched DNS" to "verified first-party tracking domain" in five steps and about five minutes of DNS propagation time. Pick your DNS provider (Cloudflare, Route 53, Namecheap, GoDaddy) — exact field names are below. For the canonical reference, see the first-party CNAME documentation.

TL;DR

• A first-party tracking domain is a subdomain on your apex (e.g., track.yourbrand.com) that points to the analytics platform's collector.
• Cookies set by your tracking domain are first-party on the browser — they are not subject to Safari ITP's 7-day cap.
• Network requests to your tracking domain do not match common ad-blocker filterlists — they look like requests to your own infrastructure.
• Setup is one CNAME record, followed by a verification ping. Typical propagation: 1–15 minutes.
• Compounds on top of server-side conversions for an additional 10–15 points of recovered signal.

What you actually get from a first-party CNAME

Browser tracking has been steadily degrading since 2020. The three forces are well-documented:

• Safari ITP caps script-set cookies at 7 days; cross-site redirects further restrict them.
• iOS ATT broke the IDFA pathway for in-app browsers and degraded cross-domain identity.
• Ad blockers (uBlock, Brave, Firefox ETP) block requests to known pixel hosts.

A first-party CNAME flips the bit on all three:

• For ITP: cookies set by track.yourbrand.com are first-party cookies on yourbrand.com — the user's own session. Safari does not apply the 7-day cap to first-party session cookies. A returning visitor 30 days later still has the same _admx_uid.
• For ATT: ATT prompts apply to third-party tracking domains. A subdomain of your store's apex domain is first-party. The prompt either does not fire or has no enforceable effect.
• For ad blockers: blocker filterlists target hostnames like connect.facebook.net, analytics.tiktok.com, and cdn.shopify.com/s/files/tracking. Your subdomain is not on any list. Requests succeed.

The cumulative effect: 10–15 additional percentage points of conversion signal recovered on top of server-side. Combined, server-side + CNAME typically restores 85-95% of the signal that browser-only pixels lose to modern privacy tooling.

Before you start

You need three things:

1. DNS access for your apex domain. Wherever the domain is registered (Cloudflare, Route 53, Namecheap, GoDaddy, etc.) — log in.
2. Your Admaxxer collector hostname. Find this in Settings → Integrations → First-Party Domain. It will look like collector.admx-edge.net (specific to your workspace).
3. A subdomain you want to use. Common choices: track.yourbrand.com, data.yourbrand.com, tr.yourbrand.com. We recommend track. — short, semantically clear, low collision risk with existing services.

Do NOT use:

• email.yourbrand.com (collides with Klaviyo/SendGrid).
• cdn.yourbrand.com (collides with image CDNs).
• The apex itself (yourbrand.com cannot be CNAME'd — RFC 1912).
• A subdomain already in use (check your DNS records first).

Step 1: Open your DNS provider

Sign in. Navigate to the DNS records page for your apex domain. The path differs by provider:

• Cloudflare: Dashboard → select your domain → DNS → Records.
• Amazon Route 53: Hosted zones → click your domain → Create record.
• Namecheap: Domain List → Manage next to your domain → Advanced DNS.
• GoDaddy: My Products → next to your domain, DNS → scroll to DNS Management.

You should see a list of existing records (A, AAAA, MX, TXT, CNAME). You are about to add one new CNAME.

Step 2: Add the CNAME record

Click "Add Record" (or "Create Record" / "Add New Record" — the button name varies).

Configure:

• Type: CNAME
• Name/Host: the subdomain you chose, without the apex. For track.yourbrand.com, enter track. (Cloudflare and Route 53 accept either track or track.yourbrand.com; Namecheap and GoDaddy expect just track.)
• Value/Target/Points to: your Admaxxer collector hostname (e.g., collector.admx-edge.net). Get this from Integrations.
• TTL: Use the default (auto, 300, or 3600 — all are fine). Lower TTLs propagate faster.
• Proxy status (Cloudflare only): Set to "DNS only" (gray cloud). Do NOT proxy through Cloudflare — the proxy strips the SNI handshake our edge needs for TLS certificate provisioning. Click the orange cloud once to switch to gray.

Save the record. Cloudflare confirms instantly; Route 53/Namecheap/GoDaddy may take 1–2 minutes to write.

Step 3: Verify DNS propagation

DNS changes propagate globally over 1–15 minutes, occasionally longer. Verify from the command line:

dig CNAME track.yourbrand.com +short
# Expected output: collector.admx-edge.net

Or use a web tool: dnschecker.org, enter track.yourbrand.com, select CNAME, and verify it resolves correctly across multiple geographic checkpoints. Green checks across all regions = global propagation complete.

If dig returns empty after 15 minutes, something is wrong. The most common causes:

• You entered the full FQDN in the Name field of a provider that expects just the prefix (track.yourbrand.com.yourbrand.com is the bug).
• You created an A record instead of a CNAME (A records point to IPs; you need CNAME for hostnames).
• The record was created but not saved.

Step 4: Run the in-app verification

Go to Settings → Integrations → First-Party Domain. In the Custom Tracking Domain panel:

1. Enter the subdomain you configured (e.g., track.yourbrand.com).
2. Click Verify Domain.

The verifier performs three checks:

• DNS CNAME resolution. Confirms the record points to your collector hostname.
• TLS certificate issuance. Our edge requests a Let's Encrypt cert for your subdomain; this typically completes in 30–90 seconds. You will see "Provisioning certificate..." then a green check.
• Healthcheck ping. A test HTTP request to https://track.yourbrand.com/_admx_healthcheck should return 200 OK with a JSON body. Verifier handles this automatically.

When all three checks pass, the panel shows Verified with a green badge.

Step 5: Switch the pixel to first-party mode

Once verified, the panel reveals a toggle: Enable first-party mode for the pixel collector. Flip it on.

This rewrites the pixel snippet on your store from https://collector.admx-edge.net/... to https://track.yourbrand.com/.... The change is live on your store within 60 seconds (we cache the collector hostname for one minute on the edge).

To confirm the pixel is using the first-party domain:

1. Open your store in a private browser window.
2. Open DevTools → Network tab.
3. Filter requests by track.yourbrand.com.
4. Trigger a page view; you should see one or more requests to track.yourbrand.com/event.

If you still see requests to collector.admx-edge.net, hard-refresh (Cmd+Shift+R) — your browser cached the previous pixel script.

What changes about cookies once it is verified

Before first-party mode, the pixel set cookies like _admx_uid on a third-party host. Safari treated them as third-party cookies (7-day cap, blocked entirely in some configurations).

After first-party mode:

• The pixel sets cookies on track.yourbrand.com directly.
• Those cookies are first-party on your apex domain (yourbrand.com) because the subdomain shares the apex.
• Safari ITP does not cap them. Cookies persist for the full max-age set by the server (we use 730 days).
• Returning visitors retain their _admx_uid even after 30+ days of inactivity. Cross-session attribution windows now work as documented.

You will see this in analytics within 24–48 hours: returning-visitor revenue starts being correctly attributed to the campaigns that originally acquired them.

What to do when verification fails

The four most common failure modes and fixes:

"DNS not propagated" — wait another 15 minutes. If still failing, re-check the record at your DNS provider; the most common cause is an incorrect value or a typo'd hostname.

"TLS provisioning failed" — usually a Cloudflare proxy issue. Click the orange cloud next to the CNAME record to switch it to gray "DNS only." Re-run verification.

"Healthcheck returned non-200" — confirm the CNAME value matches exactly the collector hostname shown in Integrations. A trailing dot is fine; a trailing space or hidden character (paste artifact) breaks the match.

"Apex CNAME error" — you tried to CNAME the apex domain itself (e.g., yourbrand.com not track.yourbrand.com). RFC 1912 forbids this. Use a subdomain.

If none of these apply, the in-app verifier surfaces the raw error and our support team can help. Open a chat from the in-app help drawer.

Compounding with server-side conversions

A first-party CNAME by itself recovers ~10–15 points of pixel signal. Server-side conversions recover another 20–30 points by bypassing the browser entirely. Together they recover ~85–95% of what browser-only pixels lose to ATT, ITP, and blockers.

The two work in sequence:

1. The first-party CNAME ensures the browser pixel fires reliably for the conversions where the browser is reachable.
2. Server-side conversions cover the conversions where the browser was blocked, ITP-evicted, or ATT-suppressed.
3. The shared event_id deduplicates between the two so no conversion is double-counted.

Setting up server-side after you have CNAME verified is straightforward — the integrations panel handles the platform-side configuration; the canonical reference is the server-side tracking docs.

Caveats

A CNAME does not survive a domain migration. If you move your store from yourbrand.com to yournewbrand.com, you must redo this setup on the new apex. (Cookies do not migrate either — that is a domain change, not a CNAME issue.)

Also: if your store is on a subdomain (e.g., shop.yourbrand.com is the storefront, yourbrand.com is a marketing site), use a subdomain on the storefront apex. track.shop.yourbrand.com is correct; track.yourbrand.com would be cross-origin to the storefront and lose the first-party benefit.

Finally: do NOT proxy the CNAME through a CDN (Cloudflare proxy, Fastly, BunnyCDN). The TLS handshake needs to terminate at our edge for cert issuance and SNI routing to work. DNS-only mode is the correct configuration.

FAQs

Q: How long does propagation take? A: 1–15 minutes is typical. Worst case (DNS providers with longer TTLs or registry-level caching) is up to 24 hours, though we rarely see that in practice.

Q: Can I use a CNAME on a subdomain of my Shopify store? A: Yes — Shopify does not own the subdomain. You set the CNAME at your DNS provider (where your apex is registered), and Shopify is unaware. The pixel script will resolve to your tracking domain regardless of Shopify's own DNS.

Q: Will this affect SEO or our other domains? A: No. The tracking subdomain is a new subdomain — it does not affect search indexing on your apex. Cookies on the tracking subdomain are scoped to that subdomain and do not interfere with cookies set by your storefront.

Q: What if I already have a tracking domain set up with Stape or Hyros? A: You can keep both temporarily during migration. Set up the Admaxxer CNAME on a different subdomain (e.g., analytics.yourbrand.com), verify it, run both in parallel for a week to compare, then disable the legacy one.

Q: Does the CNAME replace server-side tracking? A: No — they are complementary. The CNAME makes the browser pixel more durable; server-side gives you a backup channel that works even when the browser is fully blocked. Use both.

TRIAL_LINE: Start your 14-day free trial — no credit card required. See Admaxxer pricing.