Articles on: Schools & enterprise plans

Verify your email domains for single sign-on

Verify your email domains for single sign-on


Verifying a domain proves your account owns an email domain like acme.com. Once it's verified, members can sign in by typing their work email on the login page, and new accounts can be created automatically even when your identity provider doesn't confirm email addresses. This guide walks through adding a domain and proving ownership with a DNS TXT record.


The single sign-on feature is included in the Enterprise plan and the School plan. Print Farm subscriptions from before 2026-05-15 are grandfathered in. See the pricing page for the full plan comparison.


Where to find it

Verified email domains live in your single sign-on settings, alongside the rest of your OIDC configuration. Open Settings -> Organization, then open "User registration & SSO". You can also use the direct settings link.


The "Verified email domains" section appears once OpenID Connect (OIDC) is your account's active sign-in method. If you don't see it, tick "OpenID Connect (OIDC) single sign-on" first.


Only an account admin with the user-registration settings permission can add or verify domains.


Why verify a domain

Verifying a domain unlocks two things.


1. Home-realm discovery. Members can type their work email on the SimplyPrint login page and get routed straight to your account's sign-in, without having to find your organization first. This works for both OIDC and SAML accounts. See signing in with SSO for how that login flow looks.


2. Trusted automatic account creation. When someone signs in through your identity provider for the first time and they don't have a SimplyPrint account yet, one is created for them automatically (just-in-time provisioning). For that to happen safely, the email address has to be trustworthy. A verified domain marks every address on that domain as trustworthy, so new members on your domain get an account even when the identity provider doesn't send an email-verified signal.


Microsoft Entra ID does not send an email-verified signal, so verifying your domains is the recommended way to enable automatic account creation for Entra. See Microsoft Entra ID setup for the full connection guide.


Add a domain

  1. In the "Verified email domains" section, find the "Add a domain" field.
  2. Type your domain, for example acme.com. You can paste a full URL (for example https://acme.com/login) if it's easier; only the domain part is kept. Don't paste an email address.
  3. Click Add.


The domain appears in the list with a "Pending DNS" status and a DNS record for you to publish.


You can claim more than one domain. Add each domain your members use, then verify them one at a time.


Publish the DNS TXT record

Proving ownership is copy-and-paste based: you publish one TXT record at your DNS provider, then come back and verify it. There is no automatic DNS button, so the values have to be added by hand at your registrar or DNS host.


After you add a domain, the panel shows the exact record under that domain's row:


Field

What it is

TXT host / name

The hostname for the record, in the form _simplyprint.acme.com

TXT value

The proof string, in the form simplyprint-verification=<token>


To publish it:

  1. Click the copy button next to TXT host / name and paste it as the host/name of a new TXT record at your DNS provider.
  2. Click the copy button next to TXT value and paste it as the record's value.
  3. Save the record at your DNS provider.


Use the exact host and value shown in your own panel. The token is unique to your domain, so don't reuse a value from another domain or another guide.


Some DNS providers want only the subdomain part for the host (for example _simplyprint) rather than the full _simplyprint.acme.com. If your provider auto-appends your domain, drop the trailing .acme.com from the host when you paste it.


New to DNS records? See how to add a DNS TXT record at your DNS provider for step-by-step instructions for Cloudflare, GoDaddy, Namecheap, and other popular providers.


Verify ownership

Once the TXT record is saved at your DNS provider:

  1. Wait for the record to propagate. This can be near-instant or take a while depending on your provider.
  2. Back in SimplyPrint, click Verify on that domain's row.


When the record is found, the status changes to "Verified" and the domain is active for home-realm discovery and trusted account creation.


If you verify too soon, you'll see a message that the DNS record couldn't be found yet and that it can take a while to propagate. That's expected right after you publish the record. Give it a few minutes and click Verify again.


DNS changes don't apply instantly. If a verify attempt fails right after you save the record, it's almost always propagation. Wait and retry before changing anything.


Things to know

  • Public mailbox domains can't be claimed. Consumer providers like gmail.com, outlook.com, hotmail.com, yahoo.com and icloud.com are blocked, because a single verified claim would route every address on the domain. Verify a domain your account actually controls.
  • One account per domain. A domain can be claimed by only one SimplyPrint account. The first account to add a domain holds it, verified or not. If you try to add a domain another account already holds, you'll see a message that it's already in use.
  • Removing a domain. Use the trash icon on a domain's row to remove it. Removing a verified domain turns off home-realm discovery and trusted account creation for that domain.
  • You still need an active OIDC connection. Verifying a domain routes members to your sign-in, but they can only sign in once your OIDC connection is set up and active. See the OIDC setup overview to finish that.


Still not verifying?

If Verify keeps failing after you've waited:

  • Double-check the TXT value matches exactly, including the simplyprint-verification= prefix and no extra spaces or quotes.
  • Confirm the record is a TXT record (not CNAME or A) and is on the right host. SimplyPrint accepts the record on either _simplyprint.acme.com or the bare acme.com.
  • Query your domain's TXT records with a public DNS lookup tool to confirm the record is live and matches before retrying.


For more on diagnosing OIDC sign-in issues, see troubleshooting OIDC single sign-on.



Updated on: 13/06/2026

Was this article helpful?

Share your feedback

Cancel

Thank you!