Learn about first-party domains and how to configure your own domains and SSL/TLS certificates for data collection and delivery solutions in the Tealium Customer Data Hub.

To use first-party domains you must have access to update your DNS database entries. You should be prepared to work with your "ProdOps" team or the person responsible for your domain registration or SSL/TLS certificates.

In this article:

About First-Party Domains

By default, the services offered in the Tealium Customer Data Hub are hosted on Tealium domains. Since these domain names don't match the domain of your brand's website, they are considered third-party domains. For example, the JavaScript files for Tealium iQ Tag Management are served from the domain tags.tiqcdn.comand the data collection endpoint for Tealium EventStream API Hub uses the domain

However, as new privacy regulations come out and as browsers begin limiting third-party capabilities, you might want to use your own domain to ensure that Tealium services are treated as first-party. First-party domains benefit from improved tracking and better compliance with browser privacy and cookie settings,

How It Works

To use your own domain name for Tealium services you must create a CNAME entry in your DNS database. A CNAME record specifies a subdomain prefix to point to another domain. For example, the website might have a CNAME for that points to Tealium's CDN to serve the files for iQ Tag Management. A critical part of this configuration is the management of the SSL/TLS certificates, the public key certificates that verify the encryption of your website over HTTPS.

The Tealium first-party domain feature helps you manage which domains you want to use with Tealium services and validates the SSL/TLS certificates for those domains.

Managed and Imported Certificates

You configure first-party domains by either importing your own certificates or by requesting certificates to be managed by Tealium. Imported certificates work the same as managed certificates, but with one important exception: imported certificates will not be automatically renewed.

To use your own certificates you must have access to the following SSL/TLS certificate files:

  • PEM-encoded certificate
  • PEM-encoded, unencrypted private key
  • PEM-encoded certificate chain

To request certificates managed by Tealium, you must have access to edit your DNS entries or have access to receive email messages sent to the domain administrator.

Validating Domain Ownership

Before Tealium can issue a certificate for your site, you must prove that you own or control all the domains in your request. You can prove ownership using either DNS validation or email validation.

We recommend DNS validation because it is usually a quicker process and because sometimes it can be difficult to track down who in your organization has access to the administrative emails. However, if you don't have access to edit your domain's DNS database then you must use email validation.

DNS Validation

To use the DNS validation method you must have access to edit your DNS configuration.

When you select the DNS validation method you are given a CNAME record, one for each domain requested, that must be added to your DNS configuration. Once the DNS update propagates (which might take several hours), the ownership is confirmed and permanent CNAME records are provided on the same screen where the validation records are displayed.

You will receive an email message (one for each domain) containing a validation token that expires in 72 hours. If you do not receive the email or the token has expired, return to the main screen and click Resend Email.

Email Validation

To use email validation you must be able to receive email messages at one of the contact addresses listed in the WHOIS database for each of your requested domains. The email addresses that will receive a message include:

  • administrator@your_domain
  • hostmaster@your_domain
  • hostmaster@your_domain
  • postmaster@your_domain
  • webmaster@your_domain
  • admin@your_domain

You will receive an email message (one for each domain) containing a validation token that expires in 72 hours. If you do not receive the email or the token has expired, return to the main screen and click Resend Email.

Data Collection Domains

Use first-party domains with Tealium EventStream API Hub and Tealium AudienceStream CDP for first-party data collection. 

The following data collection services and domains can be mapped to your first-party domain:

Tealium Service Third-Party Domain First-Party Example
Tealium Collect

To use your first-party domain with a service not listed here, such as Data Layer Enrichment or the View-Through Extension, contact Tealium Support Desk.

Tag Management Delivery Domains

Use first-party domains with Tealium iQ Tag Management to maintain core functionality as browsers adopt stricter privacy policies such as ITP and ad blockers.

The following tag management services and domains can be mapped to your first-party domain:

Tealium Service Third-Party Domain First-Party Example
iQ Tag Management Files
(utag.js, utag.sync.js, utag.#.js)

Managing Domains and Certificates

Contact Tealium Support Desk to enable this feature in your account.

To configure first-party domains for your account you must have the Manage Account permission

To get started, navigate to iQ Tag Management > User Menu > First-Party Domains.

Next, decide which of the following services to configure and click Configure Certificate:

  • Collection
    Configure domains used for data collection by Tealium EventStream and Tealium AudienceStream.
  • Delivery
    Configure domains used for tag management by Tealium iQ Tag Management.

Domains and certificates are managed separately for these services.

Select a Region

To configure a domain and certificate for data collection, first select the region in which your primary account operates:

  • US East
  • Germany
  • Ireland
  • Sydney
  • Tokyo
  • Hong Kong

Getting a Certificate Managed by Tealium

To request an SSL/TLS certificate managed by Tealium, select a method to validate your ownership of the requested domains:

DNS validation

To validate using DNS, you will be provided temporary CNAME records to add to your DNS database. Once these records are propagated and validated, you will be provided permanent CNAME records. You must have access to edit your DNS configuration to use this option.

Email validation

To validate using email, an email message will be sent to the administrator email address associated with the requested domains. You must be able to receive these email messages to validate your ownership of the domains. You will receive an email message (one for each domain) containing a validation token that expires in 72 hours. If you do not receive the email or the token has expired, return to the main screen and click Resend Email.

Next, accept the agreement to allow Tealium to manage certificates for the provided domains.

Uploading Your Own Certificate

If you prefer to use your own certificate you can upload your certificate files. If you use your own certificate, Tealium cannot automatically renew it.

Upload the following files to use your own certificate:

  • Certificate Body
  • Certificate Private Key
  • Certificate Chain

Entering Domains

The first-party domain you specify will usually be a subdomain of your customer-facing website. For example, the website located at would use a subdomain named as a first-party domain for tag management services.

Enter the first-party domain you want to use, omitting https:// and the ending slash. 

Click + Add Another Domain to add additional domains.

First-party domains apply to all profiles in your account, so enter a subdomain for each site managed by this account.

View Domain Contact Info

After you enter a domain, click View Contact Info to view the WHOIS database information for that domain. If the WHOIS database contains contact information for the domain, such as a name, mailing address, email address, or phone number, it will be displayed here to help you verify the entry.

DNS Confirmation

If you chose for Tealium to manage your certificates, the confirmation screen displays one or more CNAME entres used to validate your domain ownership.

When you first request the certificate, a CNAME entry is displayed for validation purposes, after which the permanent CNAME entry is displayed.

The entry contains a record name and record value pair which you will enter into your DNS provider's web interface to update the records.

The record name appears in the format where X is a generated alpha-numeric string and is the first-party domain you entered.

Example record name:

DNS providers are inconsistent in their handling of the record name (or just "name") field. In some cases you are expected to provide the entire value as shown above, while other providers automatically append the domain name to the value you enter.

The record value is similar and appears in the format where X.Y is a generated alpha-numeric string.

Example record value:

Domain Statuses

During the setup and validation process the domain certificate could appear with one of the following statuses:

  • Issued: All domains are validated and the certificate is not expired nor about to expire.
  • Expired: The certificate is expired.
  • Pending Validation: One or more domains attached to the certificate are not validated.

The domain validation must occur within 72 hours. 

If the validation period expires, request a new certificate for the same domain. The DNS validation records are the same for subsequent requests of the same domain.

Using First-Party Domains

After your domains are configured and the certificates are validated you can begin using your first-party domains with the following services:

Tag Management

To use your first-party domain with iQ Tag Management you must also make the following changes:

  • Update the Universal Tag (utag.js) code snippet wherever it is installed.
  • Set the publishing URLs.
  • Edit the template for utag.js to adjust the location of utag.v.js.

Update Universal Tag Loading Script

To update the Universal Tag code snippet:

  1. Navigate to User Admin Menu > Code Center.
  2. Under Choose Domain, select your first-party domain.

The example code snippet is updated to use your first-party domain.

The new URL only uses the profile name and environment in the path. The account name and /utag/ portions are omitted.

The URL to the Universal Tag on a first-party domain is:

For example, the code snippet for would be:

<!-- Loading script asynchronously -->
<script type="text/javascript">

Set Publishing URLs

The publishing URLs determine where to load the additional utag.#.js files for each default environment. If you forget this step, then the vendor tag files loaded after utag.js will not originate from your domain.

To set the publishing URLs:

  1. Click Save/Publish, then click Configure Publish Settings....
  2. Under Publishing URLs, enter a URL for each environment that uses your first-party domain.
    Dev: //
    QA: //
    Prod: //
  3. Click Save.

Update Location to utag.v.js

Within the tag template for the Universal Tag (utag.js) there is code that loads an additional file used for reporting purposes named utag.v.js. You must update the path of this file to use your first-party domain, too.

To set a new location for utag.v.js:

  1. Go to iQ Tag Management > Admin > Manage Templates.
  2. In the Template drop-down list, select uTag Loader UID:loader.
  3. Find the line that loads utag.v.js and change it to use your first-party domain.
    Default code:
    if(w>0 && b["cp.utag_main__ss"]==1 && !utag.cfg.no_session_count) utag.ut.loader({
        src:v.substring(0,v.indexOf("/ut"+"ag/")+6)+"tiqapp/ut"+"ag.v.js?a="+utag.cfg.utid+(utag.cfg.nocookie?"&nocookie=1":"&cb="+(new Date).getTime()),
    First-party domain code:
    if(w>0 && b["cp.utag_main__ss"]==1 && !utag.cfg.no_session_count) utag.ut.loader({
        src:""+utag.cfg.utid+"&cb="+(new Date).getTime(),
  4. Click Apply.

After all of these changes, save and publish to apply the changes to your site.

Tealium Collect

To use your first-party domain with Tealium EventStream or Tealium AudienceStream you need to update the data collection URL in your installation of Tealium Collect. For websites this means setting the Server field of the Tealium Collect tag. 

To update the Tealium Collect tag:

  1. Go to iQ Tag Management > Tags and expand the Tealium Collect tag.
  2. In the Server field, enter your first-party domain endpoint.
  3. Click Apply.

Collect for Mobile

For mobile apps you must override the dispatch URL in the Collect module.

Refer to the following settings to set your first-party domain endpoint: