First-party tracking domain on Admaxxer — your domain, your cookies, included on every plan

What is a first-party tracking domain?

The default Admaxxer pixel loads from cdn.admaxxer.com and posts events to collect.admaxxer.com. That works — until any of the following intercepts the request:

• Safari ITP (Intelligent Tracking Prevention). Safari treats cdn.admaxxer.com and collect.admaxxer.com as third-party domains in the visitor’s context (because they don’t match the storefront’s eTLD+1). First-party cookies set via JavaScript on a known tracker domain are clamped to 24 hours or dropped entirely.
• Ad blockers. uBlock Origin, AdGuard, Brave Shield, and the major filter lists (EasyList, EasyPrivacy) maintain blocklists of known analytics domains. collect.admaxxer.com will eventually land on one. Once it does, every visitor running an ad blocker stops sending events.
• DNS-level blocklists. NextDNS, Pi-hole, AdGuard DNS, and most enterprise DNS resolvers block requests to tracker domains at the DNS layer, before TLS, before HTTP.
• In-app browsers. Instagram, Facebook, and TikTok in-app browsers run their own restricted JavaScript context that’s tighter than Safari ITP.

A first-party tracking domain flips the model. You pick a subdomain on your own domain — conventionally t.yourbrand.com or track.yourbrand.com — and CNAME it to Admaxxer. The pixel script and the collect endpoint now serve from your domain. Three things change:

1. Cookies are first-party. The pixel sets cookies on yourbrand.com (the eTLD+1 of your storefront and the subdomain). Safari treats them as the same site. ITP doesn’t clamp the lifespan.
2. Ad-blocker filter lists don’t target your domain. uBlock and friends maintain blocklists of known tracker domains. They don’t blanket-block every subdomain of every brand — that would break too much of the open web.
3. The request is first-hop. No DNS-level blocker has yourbrand.com on its list. The visitor’s browser sees a same-site request to your own domain.

A first-party tracking domain is included on every Admaxxer plan from $9/mo. The same capability is sold by Stape at $20–500/mo per store and by Cloudflare for SaaS as an enterprise-only contract.

How Admaxxer handles TLS for you

The one technical concern with a first-party tracking domain is TLS — the visitor’s browser will hit https://t.yourbrand.com/... and demand a valid certificate for that hostname. Admaxxer takes care of this end to end so you never touch a certificate:

1. You add a CNAME for t.yourbrand.com at your DNS provider, pointing it to tracking-edge.admaxxer.com.
2. Admaxxer verifies the CNAME automatically, usually within a few minutes. As soon as it resolves to us, the domain in your dashboard flips from Verifying DNS… to Verified.
3. The first time a visitor hits https://t.yourbrand.com/pixel.js, Admaxxer obtains a valid TLS certificate for that hostname automatically — typically in seconds — and serves it on every request after that.
4. Renewals are automatic. You never see them. There’s no cert-rotation task to maintain on your side, ever.

This is the same hands-off custom-domain experience you get from GitHub Pages, Vercel, Netlify, and Heroku — you point a domain, they handle the TLS. Why it’s safe:

• Certificates are only issued for domains you’ve verified. Admaxxer only requests a certificate for a hostname after you’ve added it in your dashboard and we’ve confirmed the CNAME points to us. Random probing traffic for other hostnames is rejected.
• You own the DNS. Only you can point the CNAME at us. If you remove the CNAME (or change DNS providers), the certificate eventually expires and we stop being able to serve the hostname. There’s no way for someone else to impersonate your subdomain.
• The certificate is for your hostname only. It’s a single-name certificate for t.yourbrand.com, bound to that subdomain alone — never shared across customers.
• You can revoke at any time. Removing the domain in Admaxxer’s dashboard cuts off the hostname; future requests stop being served. You can also remove the CNAME at your DNS provider for the same effect.

How to set up your tracking subdomain

The setup is three steps. Plan on ~5 minutes of clicking and ~5-30 minutes of waiting for DNS propagation.

Step 1: Pick a subdomain

Conventional choices: t.yourbrand.com, track.yourbrand.com, data.yourbrand.com. Two rules:

• Must be a subdomain, not the apex. You can’t CNAME yourbrand.com itself (DNS standards forbid CNAMEs on apex / zone-root records). The subdomain is where the pixel will serve from; your apex is untouched and your storefront keeps working exactly as it does today.
• One subdomain per pixel site. If you run multiple storefronts on Admaxxer, you can connect a different subdomain for each — or use the same one if they’re actually one brand in two locales.

Avoid using www, shop, store, or any subdomain you already use for production traffic — the CNAME will take that subdomain over and existing traffic will start hitting Admaxxer instead.

Step 2: Add the CNAME record at your DNS provider

In your DNS provider’s dashboard (Cloudflare, GoDaddy, Namecheap, Route53, Google Domains, Vercel DNS, Porkbun, etc.), add a single record:

Save the record. Most DNS providers propagate in 1-5 minutes; some take up to 60 minutes globally (the historic TTL on your zone determines this).

Step 3: Add the domain in Admaxxer

1. Open /integrations and find the First-party tracking domain panel.
2. Click Add a domain.
3. Enter your subdomain (t.yourbrand.com) and pick which pixel site it belongs to.
4. Click Add domain. The row appears with a Verifying DNS… pill.
5. Admaxxer checks your CNAME automatically. As soon as it resolves to us, the pill flips to Verified with a green dot — usually within a few minutes.
6. Once verified, the panel shows your new pixel snippet — identical to the default snippet but pointing at t.yourbrand.com instead of cdn.admaxxer.com. Copy and paste it into your storefront (replacing the old snippet), or update the WordPress plugin / Shopify Custom Pixel config to use the new endpoint.

The first visitor that hits https://t.yourbrand.com/pixel.js triggers Admaxxer to obtain the TLS certificate automatically. Every request after that is served instantly.

Troubleshooting DNS verification

If the panel sits on Verifying DNS… for more than ~15 minutes, one of these is true:

CNAME pointing at the wrong target

The most common mistake. The target must be exactly tracking-edge.admaxxer.com — not admaxxer.com, not cdn.admaxxer.com, not app.admaxxer.com. Verify with dig t.yourbrand.com +short; you should see tracking-edge.admaxxer.com. in the output (note the trailing dot — that’s a fully-qualified domain name in DNS notation).

DNS propagation delay

Your old DNS state cached in resolvers around the world. If your zone’s historic TTL was 24 hours, some resolvers will keep serving the “no record” answer for that long. Admaxxer checks authoritative DNS (not your local cache), so verification typically clears within a few minutes — but global propagation can take longer. Wait 30-60 minutes before assuming something else is wrong.

Conflicting record at the same name

Some DNS providers don’t error when you add a CNAME on a name that already has an A or TXT record — they just silently keep both, and the resolver picks one. If you have an A record at t.yourbrand.com from a previous experiment, delete it before the CNAME will work cleanly.

Cloudflare proxy enabled

If you’re on Cloudflare and the proxy status is set to “Proxied” (orange cloud), Cloudflare terminates TLS itself and the automatic certificate issuance can’t complete. Switch the record to DNS only (grey cloud). Your apex domain’s proxy status is untouched.

Apex hostname submitted

The panel will reject yourbrand.com — you cannot CNAME the apex. Pick a subdomain prefix.

Hostname already in use

Each first-party domain can only be linked to one Admaxxer workspace. If you previously added the same hostname under a different workspace, remove it there first.

Re-check after a fix

The panel has a Re-check button on every pending row. Hit it after fixing the underlying DNS issue and you’ll get an immediate verification check instead of waiting for the next automatic one.

vs. Stape, Cloudflare for SaaS — honest trade-offs

First-party domain hosting is a generic capability; Admaxxer, Stape, and Cloudflare for SaaS all offer flavors of it.

The honest trade-offs for choosing Admaxxer’s first-party tracking domain:

• + Free. Bundled in every plan from $9/mo. No per-cert, per-domain, or per-store surcharge.
• + One vendor. Pixel + ingest + TLS all on Admaxxer. No second contract to manage.
• + Nothing to maintain. TLS is issued and renewed for you automatically — no certificate, no cron, no manual rotation.
• – No support for arbitrary tags. The CNAME only proxies the Admaxxer pixel and the Admaxxer ingest endpoint. If you need to fire LinkedIn Insight Tag or Reddit Pixel server-side, Stape’s Server GTM is the right tool. (For the five platforms Admaxxer natively supports — Meta, Google, TikTok, Pinterest, Klaviyo — you don’t need Stape; see /documentation/server-side-tracking.)
• – You control DNS. Same as Stape. If you change DNS providers and don’t reproduce the CNAME, your tracking subdomain goes dark.

Stack a first-party tracking domain with server-side tracking

A first-party tracking domain and server-side tracking are the two halves of the conversion-recovery stack. They stack — using one doesn’t replace the other:

• First-party tracking domain makes the browser pixel succeed more often. Fewer events are blocked by ITP / ad blockers / DNS blocklists in the first place.
• Server-side tracking recovers the events that still got blocked. Same event_id on browser + server rails, ad platform deduplicates.

Stack both and your Meta Event Match Quality reliably runs in the green, your TikTok Match score sits in the 7-9 range, and your dashboard order count matches Shopify’s within a 1-2% margin. Both are included on every Admaxxer plan from $9/mo.

Read the server-side tracking setup guide →

Related Admaxxer documentation

• Server-side tracking — the companion conversion-recovery rail for Meta / Google / TikTok / Pinterest / Klaviyo.
• Pro Tracking overview — reserved __admx_* goal events fired automatically.
• Safari ITP mitigation — the HTTP-only first-party cookie pattern that pairs with a first-party tracking domain.
• Consent API — admaxxer.optIn / optOut / hasOptedIn for GDPR + CCPA compliance.
• Cross-domain tracking — URL-handoff pattern for the storefront → checkout → post-purchase journey when you span multiple eTLD+1s.
• Install hub — all 35+ install paths for the Admaxxer pixel. After adding a first-party domain, the snippet in each install guide changes to use your domain.
• Shopify Web Pixel architecture — how the Shopify Customer Events sandbox interacts with a first-party tracking domain.
• Glossary: iOS 14 attribution — why ATT made this layer mandatory in DTC.

Methodology — the DNS + TLS flow under the hood

A first-party tracking domain isn’t a clever trick — it’s a clean DNS + TLS chain. Understanding the resolution path makes it easier to debug a stuck verification and helps you reason about exactly what Safari, an ad blocker, or a DNS resolver sees on each request.

DNS resolution chain

1. Visitor’s browser requests t.yourbrand.com/pixel.js.
2. The browser’s resolver queries the authoritative DNS for yourbrand.com (your registrar/DNS host).
3. Your DNS returns a CNAME record: t.yourbrand.com CNAME tracking-edge.admaxxer.com.
4. The resolver follows the CNAME and queries the authoritative DNS for tracking-edge.admaxxer.com, getting back the address records that point at Admaxxer.
5. The browser opens a TCP/443 connection to that address and performs a TLS handshake with SNI = t.yourbrand.com.
6. Admaxxer checks that t.yourbrand.com is a verified first-party domain (added in your dashboard, CNAME confirmed) before serving any certificate for it.
7. If the domain is verified and no certificate is cached yet, Admaxxer obtains one for that hostname automatically — typically inside a few seconds — and caches it. Every request after that uses the cached certificate; renewals happen automatically before expiry.
8. The TLS handshake completes, the GET request is served, and the pixel JavaScript loads from your domain.

Crucially, the DNS resolver and Safari’s ITP both perceive the request as same-site with the storefront on yourbrand.com — the cross-site classification ITP applies to cdn.admaxxer.com doesn’t apply here, because the eTLD+1 (yourbrand.com) is identical to the storefront’s.

Safari ITP semantics in this configuration

Apple publishes ITP’s classifier behavior in WebKit’s tracking-prevention docs. The short version: ITP classifies domains, not subdomains. Once t.yourbrand.com serves traffic for both the storefront context (because it’s a sibling subdomain) and ad-platform contexts, ITP’s heuristics still may downgrade the JS-set cookie lifespan to 7 days — this is the persistent ITP rule on first-party JS-set cookies (a.k.a. the “Storage Access API” rule). What ITP does NOT do in this configuration: clamp to 24 hours (the rule reserved for known cross-site trackers) or block the cookie set entirely.

For maximum ITP resilience, pair a first-party tracking domain with Admaxxer’s HTTP-only first-party cookie pattern (see /documentation/safari-itp-mitigation) — HTTP-only Set-Cookie headers bypass the JS-set ITP rule entirely.

What gets cached, where

• Visitor browser: the versioned pixel.js for a short cache window, session cookies, and your domain’s storage.
• DNS resolver chain: the CNAME record cached per its TTL (default 300s = 5 min); the address records for tracking-edge.admaxxer.com cached per a short TTL so Admaxxer can route traffic flexibly.
• Admaxxer: serves the pixel + ingest endpoints, caches your domain’s certificate, and keeps your pixel config warm so responses stay fast.

FAQ

How do I set up a first-party tracking domain on Admaxxer?

Three steps. (1) Pick a subdomain like t.yourbrand.com. (2) At your DNS provider, add a CNAME record: name t, target tracking-edge.admaxxer.com, TTL 300. If you’re on Cloudflare, set proxy status to “DNS only” (grey cloud, not orange). (3) In Admaxxer’s dashboard, open the First-party tracking domain panel, click Add a domain, enter t.yourbrand.com, save. Wait a few minutes for Admaxxer to verify the CNAME and issue TLS automatically. Copy the new pixel snippet and replace your existing snippet on the storefront.

What is a first-party tracking domain, plainly?

Your storefront pixel + ingest endpoint serve from a subdomain on your own domain (e.g., t.yourbrand.com) instead of cdn.admaxxer.com / collect.admaxxer.com. Three benefits: (1) cookies are first-party so Safari ITP doesn’t clamp them; (2) ad blockers don’t target your domain; (3) DNS-level blocklists don’t have your hostname on their list.

Do I need to buy a separate TLS certificate?

No. Admaxxer issues a valid TLS certificate for your tracking subdomain automatically the first time anyone hits it, and renews it for you before it expires. You never see it. No cron, no annual fee, no manual rotation.

Why isn’t my domain verifying?

Five common causes, in order of frequency. (1) CNAME target is wrong — it must be exactly tracking-edge.admaxxer.com, not admaxxer.com or cdn.admaxxer.com. (2) DNS propagation delay — wait 30-60 minutes after adding the record. (3) Conflicting A or TXT record at the same name — delete the old record. (4) Cloudflare proxy enabled — switch to “DNS only” (grey cloud). (5) You submitted the apex (yourbrand.com) — you need a subdomain prefix.

Can I use the apex domain instead of a subdomain?

No. DNS standards forbid CNAMEs on apex records (the zone’s root). Some providers (Cloudflare, Vercel) support a feature called “CNAME flattening” or “ALIAS” that mimics this for the apex, but it’s provider-specific and we don’t recommend it — your apex serves your storefront, mixing pixel traffic in adds risk for no benefit. Pick t., track., or data. as the subdomain prefix.

Will Safari ITP still affect me with a first-party tracking domain?

The most aggressive ITP rules — the 7-day cap on JavaScript-set first-party cookies — still apply. But the strictest 24-hour clamp (reserved for known cross-site trackers) doesn’t. The cookie lifespan is materially better than with the default third-party domain, and the cookies count as same-site for the storefront’s context. For maximum ITP resilience pair a first-party tracking domain with our HTTP-only first-party cookie pattern documented at /documentation/safari-itp-mitigation.

What happens if I delete the CNAME record?

The DNS lookup fails, traffic stops reaching us, and your tracking on that subdomain goes dark. The certificate eventually expires. The row in Admaxxer’s dashboard goes back to pending on the next verification check. To clean up properly, remove the domain from the Admaxxer dashboard first, then delete the CNAME at your DNS provider.

Is this the same as Stape or Cloudflare for SaaS?

Same mechanism, different scope. Stape ($20–500/mo per store) hosts server-side Google Tag Manager containers on a CNAMEd subdomain — useful if you’re running multiple server-side tags via GTM. Cloudflare for SaaS is an enterprise contract for SaaS platforms hosting thousands of customer subdomains. Admaxxer’s first-party tracking domain is scoped to the Admaxxer pixel + ingest endpoint and bundled on every plan from $9/mo with no surcharge.

Does a first-party tracking domain break my Cloudflare WAF or Cloudflare Workers setup?

The CNAME for the tracking subdomain must run “DNS only” (grey cloud), so Cloudflare doesn’t proxy that specific subdomain — WAF + Workers + page rules don’t apply to it. Your apex (yourbrand.com) and other subdomains continue to be proxied normally. No security regression on the storefront.

Will I lose historical pixel data when I switch to a first-party tracking domain?

No. The pixel data is keyed by websiteId, not by hostname — the new snippet at t.yourbrand.com/pixel.js writes to the same analytics datasets as the old snippet at cdn.admaxxer.com/pixel.js. Visitor sessions continue uninterrupted across the switch. Plan on a brief overlap window where you have both old and new snippets installed; once you confirm the new one is firing (check the Live Visitor stream), remove the old one.

Can I run multiple first-party domains for the same workspace?

Yes. Each pixel site can have its own first-party domain. Useful if you run multiple storefronts (e.g., brand.com + brand.eu + brand.co.uk) under one Admaxxer workspace — CNAME t.brand.com, t.brand.eu, t.brand.co.uk independently, and each storefront uses its own snippet.

Which plan tiers include a first-party tracking domain?

Every plan from AD_STARTER ($9/mo) upward — a first-party tracking domain is part of the Admaxxer core stack, not a paywalled upsell. Plans differentiate only on tracked-event quota: AD_STARTER 15K/mo, AD_GROWTH 100K, AD_PRO 750K, AD_AGENCY 3M, AD_ENTERPRISE 15M, AD_PLATFORM 50M. The 7-day free trial covers it so you can verify the certificate provisions and the cookie behavior on Safari before committing. Compare: Stape charges $20-200/mo per store for CNAME hosting on top of a separate Server GTM contract; Cloudflare for SaaS is enterprise-contract only.

Does a first-party tracking domain affect my SSL/TLS certificate if my registrar suddenly drops DNSSEC?

No. Admaxxer issues an independent TLS certificate scoped to your subdomain only — the certificate chain doesn’t depend on DNSSEC. If your registrar drops DNSSEC, your apex / storefront might see browser warnings (separate issue), but the tracking subdomain’s certificate continues to renew automatically for as long as the CNAME resolves correctly. The CNAME itself doesn’t require DNSSEC to function (CNAME is a baseline DNS record type, available since RFC 1035 in 1987).

Get your tracking on your own domain in 5 minutes

A first-party tracking domain is the cheapest, most durable improvement you can make to a DTC tracking stack — and it’s included on every Admaxxer plan from $9/mo. Open the dashboard, pick a subdomain, paste a CNAME, copy the new snippet. Admaxxer handles the TLS, serves the requests, and you keep the data.

Add a first-party domain → · Stack with server-side tracking · See pricing