Verifying your domain: step-by-step guide
Published on May 29, 2026
Before Exposentry may scan your domain, we ask you to prove once that you own or administer it. This protects both you and others: no one can run a scan against a domain that is not theirs. You only need to complete one of the three methods below — pick whichever is easiest for you.
Step 1 — Get your verification token
After payment you receive a unique token: a long string of characters. You can find it in two places:
- On the confirmation page right after payment.
- In your dashboard next to the domain, as long as its status is still Pending.
Below we refer to this token as YOUR-TOKEN. Replace it everywhere with your own token.
Step 2 — Choose one verification method
Method 1 — DNS TXT record (recommended)
Suitable if you have access to your domain's DNS settings, at your registrar or hosting provider. Add this record:
| Type | TXT |
| Name / Host | _ex-verify |
| Value / Content | ex-verify=YOUR-TOKEN |
| TTL | default or lowest available (e.g. 300) |
Note the naming: some providers expect just _ex-verify, others the full name _ex-verify.yourdomain.com. When in doubt, enter _ex-verify — the provider usually completes the rest automatically.
DNS changes are usually active within minutes, but can take up to a few hours.
Method 2 — File on the web server
Suitable if you can place files on your website (via FTP, SFTP, cPanel, Plesk or your CMS).
- Create a text file containing only the token — without
ex-verify=in front, and without extra spaces or lines. - Place it so it is reachable at exactly this URL:
https://yourdomain.com/.well-known/ex-verify.txt(a.well-knownfolder in the web root containingex-verify.txt). - Check it yourself by opening that URL in your browser — you should see only the token.
Important: the file must be reachable over https and the page must not redirect.
Method 3 — HTML meta tag on the homepage
Suitable if you can edit the homepage but cannot place individual files (for example with some CMSes or website builders). Add this line to the <head> of your homepage:
<meta name="exposentry-verification" content="YOUR-TOKEN">In many CMSes this is possible without code:
- WordPress: via an SEO plugin (Yoast or Rank Math → extra
<head>code) or the theme's "header scripts" option. - Wix / Squarespace / Webflow: settings → Custom code / Header → paste the line.
Step 3 — Verification and start of the scan
You don't need to do anything after this. Exposentry automatically checks every 10 minutes whether one of the methods has succeeded. As soon as it does:
- the status in your dashboard switches to Verified;
- the security scan starts automatically;
- you receive the report by email afterwards (check your spam folder if needed) and can also view it in the dashboard.
Frequently asked questions
Verification fails — now what?
- DNS: check that the value is exactly
ex-verify=YOUR-TOKENand the name_ex-verify. A space or typo is the most common cause. - File: open
https://yourdomain.com/.well-known/ex-verify.txtin your browser. If you see a 404 or anything other than the bare token, the file isn't set up correctly. - Meta tag: view the page source (right-click → View page source) and search for
exposentry-verification.
Do I need to do all three methods? No, one successful method is enough for all plans.
Can I remove the record or file afterwards? Preferably keep it in place. Monthly rescans (Basis, Professional, Enterprise) may re-check the token; removing it can block a later re-verification.
How long does it take? DNS changes are usually active within minutes, sometimes up to a few hours. A file or meta tag works as soon as it is online.
Get started
No scan running yet? See the plans and pricing or start straight away with a scan. Stuck? Email us at scan@exposentry.io with your domain name and the method you tried — and we'll take a look.