Skip to main content
Domain verification proves that your organization owns the email domain used by your team members. This is a prerequisite for enabling SAML Single Sign-On (SSO) and other enterprise security features.
Domain verification is required before you can configure SAML SSO. Complete these steps first, then proceed to SAML SSO Setup.
Verified domains default to Enforced (Auto-Enroll) for Domain Capture, meaning users with matching email addresses will be automatically added to your workspace on their next login. Review the capture mode immediately after verifying your domain.

Prerequisites

Workspace Role

You must be a workspace owner or admin

DNS Access

Access to your organization’s DNS settings (Cloudflare, Route 53, GoDaddy, etc.)

Why Verify Your Domain?

Domain verification ensures that only authorized administrators can:
  • Configure Domain Capture to automatically invite or enroll users with your domain
  • Enable SAML SSO for users with your company email domain
  • Manage authentication settings for your organization
  • Control how team members access your Krea workspace

Step 1: Add Your Domain

1

Open Workspace Settings

Navigate to Workspace Settings ↗.You can also click your workspace avatar in the bottom-left corner of the sidebar, then select Settings.
2

Find Domain Management

Scroll down to the Domain Management section.Domain Management section
3

Add Your Domain

Type your company’s email domain (e.g., acme.com) in the input field and click Add Domain.
Use the domain portion of your employees’ email addresses. For example, if employees use user@acme.com, enter acme.com.

Step 2: Add DNS TXT Record

After adding your domain, Krea displays a verification token. Your domain will show as Pending until verified. Verification token You’ll see:
  • A success alert with the verification token (starting with krea-verification=)
  • Your domain listed with a Pending status
  • A copyable TXT record value
Copy the token exactly — including any special characters. Even a small typo will cause verification to fail.

DNS Record Details

FieldValue
TypeTXT
Host/Name@ (or leave blank, depending on your DNS provider)
Content/ValueThe verification token shown in the modal
TTL3600 (1 hour) or your provider’s default

Adding the Record by Provider

  1. Log in to Cloudflare Dashboard
  2. Select your domain
  3. Click DNS in the left sidebar
  4. Click Add record
  5. Set Type to TXT, Name to @, and paste the token in Content
  6. Click Save
Reference: Cloudflare DNS Documentation ↗

Step 3: Verify Your Domain

1

Return to Krea

Go back to the verification modal in Krea.
2

Click Verify Domain

Click the Verify Domain button.
3

Wait for Confirmation

Krea will check your DNS records. Once verified, you’ll see a success message.
DNS propagation can take anywhere from a few minutes to 72 hours. If verification fails, wait 5-10 minutes and try again.

Configure Domain Capture

Domain Capture controls what happens when a user with a matching verified email domain signs in to Krea. You can automatically add them to your workspace, prompt them to join, or take no action.

Capture Modes

ModeLabel in SettingsBehavior
OffDisabledUsers join only via direct admin invitation.
OptionalAuto-Invite EnabledUsers see a “Join Your Verified Workspace” modal. They can accept or dismiss it (re-prompted after 1 week).
EnforcedAuto-Enroll EnabledUsers are automatically added to your workspace on next login. Their active workspace switches automatically and they see a confirmation modal. No opt-out.
Default behavior: Newly verified domains default to Enforced (Auto-Enroll), meaning users with matching email domains will be automatically added to your workspace. Review and adjust the capture mode immediately after verifying a domain if this is not your desired behavior.

Setting the Capture Mode

1

Open Domain Management

Navigate to Workspace Settings ↗ and scroll to the Domain Management section.
2

Locate your verified domain

Find the domain you verified. Note that it defaults to Enforced (Auto-Enroll) immediately after verification.Domain capture mode picker
3

Select a capture mode

Use the radio buttons to choose Off, Optional (Auto-Invite), or Enforced (Auto-Enroll). Your selection is saved automatically.

Key Details

Multiple workspaces can verify the same email domain. Each workspace manages its own capture mode independently. A user matching multiple workspaces may be enrolled or prompted for each one.
Users who are already members of your workspace are not affected by Domain Capture. No duplicate invitations or enrollment actions occur.

Troubleshooting

  • Wait for propagation — DNS changes can take up to 72 hours (usually under 1 hour)
  • Verify your record — Use MXToolbox TXT Lookup to check if the record is visible
  • Check for typos — Ensure the verification token is copied exactly
  • Check the host field — Some providers want @, others want it blank, and some want your domain name
  • Check for duplicate records — Remove any old or duplicate TXT records
  • Verify the exact value — Some providers add quotes automatically; don’t add extra quotes
  • Try a different TTL — Lower TTL values (300 seconds) propagate faster
Contact your IT administrator or the person who manages your organization’s domain. They’ll need to add the TXT record for you.

Next Steps

Once your domain is verified and Domain Capture is configured, you can proceed to set up SAML SSO for centralized authentication:

SAML SSO Setup

Configure Single Sign-On for your Krea Enterprise workspace