Custom Domains
Replace your default Kit URLs with your own branded domain for your admin dashboard, career portal, or security portal.
Why It Matters
Your Kit account comes with default URLs based on your subdomain — but sharing startupkit.app/careers/your-company or your-company.startupkit.app doesn’t feel like your brand. Custom domains let you replace these with your own domain (like kit.yourcompany.com, careers.yourcompany.com, or security.yourcompany.com), giving candidates, researchers, and team members a professional, on-brand experience.
What You Can Brand
Kit supports three self-serve types of custom domains, each replacing a different part of your account:
| Domain Type | Replaces | Example |
|---|---|---|
| Admin Dashboard | your-company.startupkit.app |
kit.yourcompany.com |
| Career Portal | startupkit.app/careers/your-company |
careers.yourcompany.com |
| Security Portal | startupkit.app/security/your-company |
security.yourcompany.com |
You can set up one of each type on the same account. The Security Portal type requires an active VDP add-on subscription — see Vulnerability Disclosure Program for details.
A custom outreach tracking domain (so tracking URLs match your sending domain) is not yet self-serve — contact Kit support if you need one. See Engagement Tracking for details.
Requirements
Before adding a custom domain, make sure you have:
- An active paid subscription on your account
- Account admin role (non-admins won’t see the Custom Domains settings)
- A domain you control with access to its DNS settings
- For Security Portal domains: an active VDP add-on subscription
Adding a Custom Domain
- Open Account Settings in the sidebar
- Click Custom Domains
- Click Add Domain
- Choose a domain type — Admin Dashboard, Career Portal, or Security Portal
- Enter your domain (e.g.
kit.yourcompany.com) - Click Add Domain to save
Kit registers the domain and redirects you to the domain detail page with DNS setup instructions.
We recommend using a subdomain (like kit.yourcompany.com) rather than a root domain (yourcompany.com). Subdomains work with any DNS provider and are simpler to configure.
Configuring DNS
After adding your domain, you need to create a DNS record at your domain provider pointing to Kit.
For Subdomains (Recommended)
| Type | Name | Target |
|---|---|---|
CNAME |
Your subdomain (e.g. kit) |
startupkit.app |
CNAME records work with every DNS provider.
For Root/Apex Domains
| Type | Name | Target |
|---|---|---|
ALIAS or ANAME
|
@ |
startupkit.app |
Root domains cannot use CNAME records due to DNS standards. You’ll need a provider that supports ALIAS or ANAME records (such as Cloudflare, DNSimple, or DNS Made Easy). Most basic registrars do not support this — if yours doesn’t, use a subdomain instead.
DNS changes can take anywhere from a few minutes to 48 hours to propagate, depending on your provider and existing TTL settings.
Verification and SSL
Once your DNS record is in place, Kit automatically handles verification and SSL certificate provisioning. The process follows three steps:
- Domain Added — Your domain is registered and waiting for DNS configuration
- DNS Configured — Kit detects your DNS record and begins SSL provisioning
- SSL Active — A certificate is issued and your domain is live with HTTPS
This typically completes within a few minutes of adding the DNS record. You can check progress at any time by visiting the domain detail page and clicking Check Status.
Kit uses automatic DV (Domain Validated) certificates that renew every 90 days — no manual certificate management required.
Certificate Authority (CAA) records
If your domain has CAA records — a DNS record that controls which certificate authorities are allowed to issue certificates for it — they must authorize the authorities Kit uses. Otherwise certificate issuance is silently blocked and your domain never goes live, even when your DNS is correct.
Kit may issue through any of these authorities:
| Authority | CAA value |
|---|---|
| SSL.com | ssl.com |
| Sectigo | sectigo.com |
| Google Trust Services | pki.goog |
| Let’s Encrypt | letsencrypt.org |
For each authority, add both an issue and an issuewild CAA record at your root domain — for example 0 issue "ssl.com" and 0 issuewild "ssl.com". Or, if you don’t need CAA restrictions, remove your CAA records entirely.
Warning
CAA records are checked at your root domain (e.g. yourcompany.com), even for a subdomain like careers.yourcompany.com. Authorize all of the authorities above — Kit rotates between them, so allowing only one can cause a renewal to fail months later. If you don’t have any CAA records, you can skip this step.
Domain health monitoring
Once your domain is live, Kit keeps watch on it so you don’t have to. We re-check every active custom domain regularly.
- If your domain goes down — for example its certificate stops renewing, or a DNS or CAA change breaks it — Kit emails every account admin (and shows an in-app alert) explaining what happened and what to fix. The domain’s detail page shows specific guidance for the exact problem.
- When it recovers, Kit sends a follow-up email so you know it’s resolved.
- If the domain’s registration is lost on our certificate provider’s side (rare), the domain detail page shows a Re-register button — click it to recreate the registration. No DNS changes are needed on your end.
This is automatic for every active custom domain; there’s nothing to enable.
Bot protection (Cloudflare Turnstile)
The public forms on your Career Portal and Security Portal — job applications, talent-pool signups, and vulnerability reports — are open to the internet, which makes them a target for spam and bots. Every form already has a built-in invisible spam check and rate limiting. For stronger protection, you can add your own Cloudflare Turnstile widget — a free, privacy-friendly CAPTCHA alternative — to a custom domain.
This is optional and configured per domain. If you don’t add Turnstile keys, the built-in spam guard stays in effect.
Note
Turnstile is a standalone product — you do not need to move your DNS to Cloudflare or change anything about how your custom domain is set up. A free Cloudflare account is all that’s required.
How to add Turnstile to a domain
- Create a free Cloudflare account if you don’t have one.
- In the Cloudflare dashboard, open Turnstile and click Add widget.
- Give it a name, add your custom domain’s hostname (e.g.
careers.yourcompany.com) under Hostnames, and choose Managed mode. - Copy the Site Key and Secret Key Cloudflare generates.
- In Kit, go to Account Settings > Custom Domains, open your Career or Security domain, and find the Bot protection (Cloudflare Turnstile) section.
- Paste both keys and click Save keys.
The widget appears on that domain’s forms immediately. Visitors solve a quick challenge before their submission goes through; failed challenges are rejected.
Notes
- The hostname you add in Cloudflare must match your custom domain exactly — otherwise the widget won’t load and submissions will be blocked.
- Your Secret Key is stored encrypted and never shown again. To replace it, paste a new one; to turn protection off, click Remove.
- Turnstile only applies to your custom domain. Forms on the default Kit URL use Kit’s own protection.
Troubleshooting
| Problem | Solution |
|---|---|
| Status stuck on “DNS Required” | DNS changes may not have propagated yet — wait up to 48 hours, then click Check Status |
| Root domain not verifying | Confirm your DNS provider supports ALIAS or ANAME records; if not, switch to a subdomain |
| SSL error after DNS is correct | Click Check Status to retry. The most common cause is a CAA record blocking issuance — see Certificate Authority (CAA) records above |
| Certificate won’t issue / CAA error | Your CAA records don’t authorize Kit’s certificate authorities — add them (see Certificate Authority (CAA) records) or remove your CAA records, then click Check Status |
| Domain page shows a “Re-register” button | The domain’s registration was lost on our provider’s side — click Re-register to recreate it; no DNS changes needed |
| “Domain is reserved” error | Kit’s own system domains (e.g. startupkit.app, www.startupkit.app) cannot be used as custom domains |
| “Requires VDP addon” error | Security Portal domains require an active VDP add-on subscription — enable it in your billing settings |
| Domain shows as “Error” | Check the error details on the domain page — common causes include conflicting DNS records or provider-level blocks |
| Turnstile widget won’t load / all submissions blocked | The hostname in your Cloudflare Turnstile widget must exactly match your custom domain. Confirm it under the widget’s Hostnames, then re-check |
Removing a Domain
To remove a custom domain:
- Go to Account Settings > Custom Domains
- Click on the domain you want to remove
- Click Remove Domain and confirm
Removing a domain cleans up the SSL certificate and DNS configuration on Kit’s side. Your account reverts to the default Kit URL immediately. You should also remove the DNS record at your provider to keep your DNS tidy.
Quick Checklist
- You have an active paid subscription
- You are an account administrator
- You’ve chosen a domain type (Admin Dashboard, Career Portal, or Security Portal)
- You’ve entered your domain in Account Settings > Custom Domains
- You’ve added the correct DNS record (CNAME for subdomains, ALIAS/ANAME for root domains)
- DNS has propagated and Kit shows the domain as “Active”
- You’ve verified your site loads correctly on the new domain with HTTPS
- (Optional) You’ve added Cloudflare Turnstile keys to protect your Career or Security Portal forms