First-party CNAME tracking on Admaxxer — your domain, your cookies, included on every plan

What is first-party CNAME?

The default Admaxxer pixel loads from cdn.admaxxer.com and posts events to collect.admaxxer.com. That works — until any of the following intercepts the request:

• Safari ITP (Intelligent Tracking Prevention). Safari treats cdn.admaxxer.com and collect.admaxxer.com as third-party domains in the visitor’s context (because they don’t match the storefront’s eTLD+1). First-party cookies set via JavaScript on a known tracker domain are clamped to 24 hours or dropped entirely.
• Ad blockers. uBlock Origin, AdGuard, Brave Shield, and the major filter lists (EasyList, EasyPrivacy) maintain blocklists of known analytics domains. collect.admaxxer.com will eventually land on one. Once it does, every visitor running an ad blocker stops sending events.
• DNS-level blocklists. NextDNS, Pi-hole, AdGuard DNS, and most enterprise DNS resolvers block requests to tracker domains at the DNS layer, before TLS, before HTTP.
• In-app browsers. Instagram, Facebook, and TikTok in-app browsers run their own restricted JavaScript context that’s tighter than Safari ITP.

First-party CNAME flips the model. You pick a subdomain on your own domain — conventionally t.yourbrand.com or track.yourbrand.com — and CNAME it at the Admaxxer edge. The pixel script and the collect endpoint now serve from your domain. Three things change:

1. Cookies are first-party. The pixel sets cookies on yourbrand.com (the eTLD+1 of your storefront and the subdomain). Safari treats them as the same site. ITP doesn’t clamp the lifespan.
2. Ad-blocker filter lists don’t target your domain. uBlock and friends maintain blocklists of known tracker domains. They don’t blanket-block every subdomain of every brand — that would break too much of the open web.
3. The request is first-hop. No DNS-level blocker has yourbrand.com on its list. The visitor’s browser sees a same-site request to your own domain.

First-party CNAME is included on every Admaxxer plan from $9/mo. The same capability is sold by Stape at $20–500/mo per store and by Cloudflare for SaaS as an enterprise-only contract.

How Admaxxer’s Caddy edge auto-issues TLS

The technical concern with first-party CNAME is TLS — the visitor’s browser will hit https://t.yourbrand.com/... and demand a valid certificate for that hostname. Admaxxer runs a Caddy server on our infrastructure that handles this automatically:

1. You CNAME t.yourbrand.com at your DNS provider, pointing to tracking-edge.admaxxer.com. That subdomain resolves to our Hetzner box on the East-Oregon / Hillsboro IP.
2. Our DNS verifier worker polls your CNAME every ~30 seconds. As soon as it resolves to us, the row in our first_party_domains table flips from pending to verified.
3. The first visitor hits https://t.yourbrand.com/pixel.js. Caddy receives the TLS handshake, asks our internal API “is this hostname verified for cert issuance?”, gets a 200, and requests a fresh certificate from Let’s Encrypt via the standard HTTP-01 challenge.
4. Let’s Encrypt issues the certificate in 5-30 seconds (it’s a fully automated CA). Caddy stores the cert in a persistent volume and serves it on every subsequent handshake.
5. Renewals happen automatically 30 days before expiry. You never see them. No cert-rotation cron to maintain on your side.

This is the same model GitHub Pages, Vercel, Netlify, and Heroku use for custom domains — ACME on-demand TLS. It’s the standard pattern for SaaS platforms that host customer-owned subdomains. Why it’s safe:

• Every cert request is authorized. Caddy doesn’t issue certs for arbitrary hostnames; it asks our database first. Only hostnames in first_party_domains with verifiedAt IS NOT NULL are issued. Probing traffic and abuse attempts are rejected before they reach Let’s Encrypt.
• You own the DNS. Only you can point the CNAME at us. If you remove the CNAME (or change DNS providers), the cert eventually expires and we stop being able to serve the hostname. There’s no way for someone else to impersonate your subdomain.
• The cert is for your hostname only. Let’s Encrypt issues a single-name certificate for t.yourbrand.com. We don’t use wildcard certs across customers, and the cert is bound to that subdomain alone.
• You can revoke at any time. Removing the domain in Admaxxer’s dashboard flips the row to revoked; future TLS handshakes return a TLS error and traffic stops. You can also remove the CNAME at your DNS provider for the same effect.

Operator detail: the Caddy edge is a self-hosted Docker container on the same Hetzner box as the rest of the Admaxxer stack. The Caddy storage volume (issued certs + ACME account key) is backed up nightly — certificate persistence is load-bearing because Let’s Encrypt rate-limits issuance at 50 certs per registered domain per week, and a lost volume on a 200-merchant footprint would mean a week of partial outages.

How to set up your tracking subdomain

The setup is three steps. Plan on ~5 minutes of clicking and ~5-30 minutes of waiting for DNS propagation.

Step 1: Pick a subdomain

Conventional choices: t.yourbrand.com, track.yourbrand.com, data.yourbrand.com. Two rules:

• Must be a subdomain, not the apex. You can’t CNAME yourbrand.com itself (DNS standards forbid CNAMEs on apex / zone-root records). The subdomain is where the pixel will serve from; your apex is untouched and your storefront keeps working exactly as it does today.
• One subdomain per pixel site. If you run multiple storefronts on Admaxxer, you can connect a different subdomain for each — or use the same one if they’re actually one brand in two locales.

Avoid using www, shop, store, or any subdomain you already use for production traffic — the CNAME will take that subdomain over and existing traffic will start hitting our edge instead.

Step 2: Add the CNAME record at your DNS provider

In your DNS provider’s dashboard (Cloudflare, GoDaddy, Namecheap, Route53, Google Domains, Vercel DNS, Porkbun, etc.), add a single record:

Save the record. Most DNS providers propagate in 1-5 minutes; some take up to 60 minutes globally (the historic TTL on your zone determines this).

Step 3: Add the domain in Admaxxer

1. Open /integrations and find the First-party tracking domain panel.
2. Click Add a domain.
3. Enter your subdomain (t.yourbrand.com) and pick which pixel site it belongs to.
4. Click Add domain. The row appears with a Verifying DNS… pill.
5. Our worker polls your CNAME every ~30 seconds. As soon as it resolves to our edge, the pill flips to Verified with a green dot.
6. Once verified, the panel shows your new pixel snippet — identical to the default snippet but pointing at t.yourbrand.com instead of cdn.admaxxer.com. Copy and paste it into your storefront (replacing the old snippet), or update the WordPress plugin / Shopify Custom Pixel config to use the new endpoint.

The first visitor that hits https://t.yourbrand.com/pixel.js triggers our Caddy edge to request the TLS cert. Subsequent requests are served from the cached cert.

Troubleshooting DNS verification

If the panel sits on Verifying DNS… for more than ~15 minutes, one of these is true:

CNAME pointing at the wrong target

The most common mistake. The target must be exactly tracking-edge.admaxxer.com — not admaxxer.com, not cdn.admaxxer.com, not app.admaxxer.com. Verify with dig t.yourbrand.com +short; you should see tracking-edge.admaxxer.com. in the output (note the trailing dot — that’s a fully-qualified domain name in DNS notation).

DNS propagation delay

Your old DNS state cached in resolvers around the world. If your zone’s historic TTL was 24 hours, some resolvers will keep serving the “no record” answer for that long. The Admaxxer worker polls authoritative DNS (not your local cache), so propagation typically resolves within a few minutes — but global propagation can take longer. Wait 30-60 minutes before assuming something else is wrong.

Conflicting record at the same name

Some DNS providers don’t error when you add a CNAME on a name that already has an A or TXT record — they just silently keep both, and the resolver picks one. If you have an A record at t.yourbrand.com from a previous experiment, delete it before the CNAME will work cleanly.

Cloudflare proxy enabled

If you’re on Cloudflare and the proxy status is set to “Proxied” (orange cloud), Cloudflare terminates TLS itself and our Caddy edge never receives the handshake — so the ACME HTTP-01 challenge can’t complete. Switch the record to DNS only (grey cloud). Your apex domain’s proxy status is untouched.

Apex hostname submitted

The panel will reject yourbrand.com — you cannot CNAME the apex. Pick a subdomain prefix.

Hostname already in use

Each first-party domain can only be linked to one Admaxxer workspace. If you previously added the same hostname under a different workspace, remove it there first.

Re-check after a fix

The panel has a Re-check button on every pending row. Hit it after fixing the underlying DNS issue and you’ll get an immediate verification poll instead of waiting for the next 30-second tick.

vs. Stape, Cloudflare for SaaS — honest trade-offs

First-party domain hosting is a generic capability; Admaxxer, Stape, and Cloudflare for SaaS all offer flavors of it.

The honest trade-offs for choosing Admaxxer’s self-hosted Caddy edge:

• + Free. Bundled in every plan from $9/mo. No per-cert, per-domain, or per-store surcharge.
• + One vendor. Pixel + ingest + TLS all on Admaxxer. No second contract to manage.
• + Database-gated cert issuance. We only mint certs for hostnames you’ve verified through our dashboard. Probing traffic can’t exhaust the Let’s Encrypt rate limit.
• – Single region today. The Caddy edge runs in one location (Hillsboro, OR via Hetzner). Latency from Asia / Australia is higher than from a global CDN. Most DTC events are async POSTs (no UX impact), but it’s an honest trade-off worth flagging.
• – No support for arbitrary tags. The CNAME only proxies the Admaxxer pixel and the Admaxxer ingest endpoint. If you need to fire LinkedIn Insight Tag or Reddit Pixel server-side, Stape’s Server GTM is the right tool. (For the five platforms Admaxxer natively supports — Meta, Google, TikTok, Pinterest, Klaviyo — you don’t need Stape; see /documentation/server-side-tracking.)
• – You control DNS. Same as Stape. If you change DNS providers and don’t reproduce the CNAME, your tracking subdomain goes dark.

Stack first-party CNAME with server-side tracking

First-party CNAME and server-side tracking are the two halves of the conversion-recovery stack. They stack — using one doesn’t replace the other:

• First-party CNAME makes the browser pixel succeed more often. Fewer events are blocked by ITP / ad blockers / DNS blocklists in the first place.
• Server-side tracking recovers the events that still got blocked. Same event_id on browser + server rails, ad platform deduplicates.

Stack both and your Meta Event Match Quality reliably runs in the green, your TikTok Match score sits in the 7-9 range, and your dashboard order count matches Shopify’s within a 1-2% margin. Both are included on every Admaxxer plan from $9/mo.

Read the server-side tracking setup guide →

Related Admaxxer documentation

• Server-side tracking — the companion conversion-recovery rail for Meta / Google / TikTok / Pinterest / Klaviyo.
• Pro Tracking overview — reserved __admx_* goal events fired automatically.
• Safari ITP mitigation — the HTTP-only first-party cookie pattern that pairs with CNAME.
• Consent API — admaxxer.optIn / optOut / hasOptedIn for GDPR + CCPA compliance.
• Cross-domain tracking — URL-handoff pattern for the storefront → checkout → post-purchase journey when you span multiple eTLD+1s.
• Install hub — all 35+ install paths for the Admaxxer pixel. After adding a first-party domain, the snippet in each install guide changes to use your domain.
• Shopify Web Pixel architecture — how the Shopify Customer Events sandbox interacts with first-party CNAME.
• Glossary: iOS 14 attribution — why ATT made this layer mandatory in DTC.

FAQ

How do I set up first-party CNAME on Admaxxer?

Three steps. (1) Pick a subdomain like t.yourbrand.com. (2) At your DNS provider, add a CNAME record: name t, target tracking-edge.admaxxer.com, TTL 300. If you’re on Cloudflare, set proxy status to “DNS only” (grey cloud, not orange). (3) In Admaxxer’s dashboard, open the First-party tracking domain panel, click Add a domain, enter t.yourbrand.com, save. Wait ~5 minutes for our DNS verifier to confirm the CNAME and our Caddy edge to issue a Let’s Encrypt TLS cert. Copy the new pixel snippet and replace your existing snippet on the storefront.

What is first-party CNAME, plainly?

Your storefront pixel + ingest endpoint serve from a subdomain on your own domain (e.g., t.yourbrand.com) instead of cdn.admaxxer.com / collect.admaxxer.com. Three benefits: (1) cookies are first-party so Safari ITP doesn’t clamp them; (2) ad blockers don’t target your domain; (3) DNS-level blocklists don’t have your hostname on their list.

Do I need to buy a separate TLS certificate?

No. Admaxxer’s Caddy edge auto-issues a Let’s Encrypt certificate the first time anyone hits your tracking subdomain. Renewals happen automatically 30 days before expiry. You never see them. No cron, no annual fee, no manual rotation.

Why isn’t my domain verifying?

Five common causes, in order of frequency. (1) CNAME target is wrong — it must be exactly tracking-edge.admaxxer.com, not admaxxer.com or cdn.admaxxer.com. (2) DNS propagation delay — wait 30-60 minutes after adding the record. (3) Conflicting A or TXT record at the same name — delete the old record. (4) Cloudflare proxy enabled — switch to “DNS only” (grey cloud). (5) You submitted the apex (yourbrand.com) — you need a subdomain prefix.

Can I use the apex domain instead of a subdomain?

No. DNS standards forbid CNAMEs on apex records (the zone’s root). Some providers (Cloudflare, Vercel) support a feature called “CNAME flattening” or “ALIAS” that mimics this for the apex, but it’s provider-specific and we don’t recommend it — your apex serves your storefront, mixing pixel traffic in adds risk for no benefit. Pick t., track., or data. as the subdomain prefix.

Will Safari ITP still affect me with first-party CNAME?

The most aggressive ITP rules — the 7-day cap on JavaScript-set first-party cookies — still apply. But the strictest 24-hour clamp (reserved for known cross-site trackers) doesn’t. The cookie lifespan is materially better than with the default third-party domain, and the cookies count as same-site for the storefront’s context. For maximum ITP resilience pair first-party CNAME with our HTTP-only first-party cookie pattern documented at /documentation/safari-itp-mitigation.

What happens if I delete the CNAME record?

The DNS lookup fails, traffic stops reaching us, and your tracking on that subdomain goes dark. The cert eventually expires (90 days from issuance). The row in Admaxxer’s dashboard goes back to pending on the next verifier poll. To clean up properly, remove the domain from the Admaxxer dashboard first, then delete the CNAME at your DNS provider.

Is this the same as Stape or Cloudflare for SaaS?

Same mechanism, different scope. Stape ($20–500/mo per store) hosts server-side Google Tag Manager containers on a CNAMEd subdomain — useful if you’re running multiple server-side tags via GTM. Cloudflare for SaaS is an enterprise contract for SaaS platforms hosting thousands of customer subdomains. Admaxxer’s first-party CNAME is scoped to the Admaxxer pixel + ingest endpoint and bundled on every plan from $9/mo with no surcharge.

Does first-party CNAME break my Cloudflare WAF or Cloudflare Workers setup?

The CNAME for the tracking subdomain must run “DNS only” (grey cloud), so Cloudflare doesn’t proxy that specific subdomain — WAF + Workers + page rules don’t apply to it. Your apex (yourbrand.com) and other subdomains continue to be proxied normally. No security regression on the storefront.

Will I lose historical pixel data when I switch to first-party CNAME?

No. The pixel data is keyed by websiteId, not by hostname — the new snippet at t.yourbrand.com/pixel.js writes to the same Tinybird datasource as the old snippet at cdn.admaxxer.com/pixel.js. Visitor sessions continue uninterrupted across the switch. Plan on a brief overlap window where you have both old and new snippets installed; once you confirm the new one is firing (check the Live Visitor stream), remove the old one.

Can I run multiple first-party domains for the same workspace?

Yes. Each pixel site can have its own first-party domain. Useful if you run multiple storefronts (e.g., brand.com + brand.eu + brand.co.uk) under one Admaxxer workspace — CNAME t.brand.com, t.brand.eu, t.brand.co.uk independently, and each storefront uses its own snippet.

Get your tracking on your own domain in 5 minutes

First-party CNAME is the cheapest, most durable improvement you can make to a DTC tracking stack — and it’s included on every Admaxxer plan from $9/mo. Open the dashboard, pick a subdomain, paste a CNAME, copy the new snippet. Let’s Encrypt does the TLS, Caddy serves the requests, you keep the data.

Add a first-party domain → · Stack with server-side tracking · See pricing