Validate domains

📘
Beta
Hello. Just a note to let you know the underlying API on which this feature is built is in a beta state, so it's not vetted yet.
Because this functionality is also new to our Terraform provider, we've given it beta label to get your feedback to make sure it works like you need and expect.
Domain validation rollout timeline:

January 13, 2026: Enforcement begins for new customers.

February 23, 2026: Enforcement expands to all existing customers.

April 2026: Enforcement rollout is complete.

Prove ownership of new domains you onboard to Akamai before activating your property configuration. This prevents unauthorized use of hostnames on the Akamai network, which improves overall security.

What you'll do

Validate new domains and add them to your property.

You can validate your domains using one of these two workflows:

Pre-validation (recommended) when you validate domains before setting up a property. This covers exact hostname, domain, and wildcard validation scopes.

Domains managed inside the hostname bucket should be pre-validated.
Late-validation when you validate domains after defining them in the property.

Note: The late-validation workflow isn't yet supported in the Akamai Terraform provider, but we’re working to enable this feature in the future.

What you need

To validate your domains, you need a property and a DNS zone with its records if using the DNS_CNAME or DNS_TXT domain validation method.

You can export properties and a DNS zone with Terraform CLI.

Pre-validation

1. Add domains for validation

Initiate the domain validation with the akamai_property_domainownership_domains resource. Each domain entry needs to include its name and the scope within which you want to perform validation. It can be either:

HOST. The scope is only the exactly specified domain.
WILDCARD. The scope covers any hostname within one subdomain level.
DOMAIN. The scope covers any hostnames under the domain, regardless of the subdomain level.

Notes:

You can track up to 1,000 domains at once in that resource. If you want to track more, your action gets blocked. For optimal performance and a smoother user experience, keep the number of domains well below this limit.

If you provided multiple domains in the resource, some of them may be successfully added, while others defined in the same request may fail. In that case, Terraform will perform a rollback, which involves deleting all domains that were added successfully in that attempt. Later, you can re-add them.

When you create this resource with multiple domains, but some of them already exist, Terraform doesn't fail the creation, but starts tracking those domains in the resource.

If a domain, for example, example.com, marked as DOMAIN or WILDCARD is already validated, you can't add its subdomains, like a.example.com. That attempt will fail.

resource "akamai_property_domainownership_domains" "my-domains" {
  domains = [
    {
      domain_name      = "example.com"
      validation_scope = "HOST"
    },
    {
      domain_name      = "sub.example.com"
      validation_scope = "WILDCARD"
    }
  ]
}

After adding domains to track them for validation, their initial statuses are REQUEST_ACCEPTED.

The operation returns the challenge data for each domain. You need to complete the validation process in the time frame specified by the challenge data's expiry date.

Once the challenge data expires, the domain is marked as expired and deleted automatically. You can resubmit the domain to generate new challenge data and validate the domain. Once a validation is completed, it doesn’t expire, and you don’t need to revalidate the domain.

2. Update your DNS or HTTP server

Depending on the validation method you want to apply, either DNS_CNAME, DNS_TXT, or HTTP, use the domain's challenge details returned from the akamai_property_domainownership_domains resource to update your DNS configuration or HTTP server.

DNS CNAME

For the DNS_CNAME domain validation method:

Add a CNAME record to your DNS configuration in the _acme-challenge.domain-name format.

For example, for a domain called example.com, the record's name should be _acme-challenge.example.com.

Copy a given domain's validation_challenge.cname_record.target attribute value returned to you from the akamai_property_domainownership_domains resource. Then paste it to the CNAME record resource as the target.

resource "akamai_dns_record" "my-cname-record" {
    zone       = "example.com"
    name       = "_acme-challenge.example.com"
    recordtype = "CNAME"
    ttl        = 1800
    target     = ["ac.ab12c3defg45hijk678lmn9o.example.com.validate-akdv.net"]
}

DNS TXT

For the DNS_TXT domain validation method:

Add a TXT record to your DNS configuration in the _akamai-{host|wildcard|domain}-challenge.domain-name format. Include the host, wildcard, or domain part, depending on the validation scope of your domain.

For example, for a domain called example.com and the DOMAIN validation scope, the record's name should be _akamai-domain-challenge.example.com.
Copy a given domain's validation_challenge.txt_record.value attribute value returned to you from the akamai_property_domainownership_domains resource. Then paste it to the TXT record resource as the target. The target's format can be either "token=ab12c34….56d7E8f" or "ab12c34….56d7E8f".
```
resource "akamai_dns_record" "my-txt-record" {
    zone       = "example.com"
    name       = "_akamai-domain-challenge.example.com"
    recordtype = "TXT"
    target     = ["token=aB1cDE2f3G4h5iJKl67MnopQrs8tUwxY9"]
    ttl        = 3600
}
```

HTTP

It applies only to domains with the HOST validation scope.

For the HTTP domain validation method:

Create a file and paste a given domain's validation_challenge.http_file.content attribute value returned to you from the akamai_property_domainownership_domains resource.
Place the file on your HTTP server in the location specified by the domain's validation_challenge.http_file.path attribute value that you can find in the akamai_property_domainownership_domains resource. The last part of the URL must be the file name.

Alternatively, you can use a redirect to the domain's validation_challenge.http_redirect.to attribute value from the akamai_property_domainownership_domains resource. For example, https://validation.akamai.com/.well-known/akamai/akamai-challenge/<your-challenge-data>.

3. Validate domains

After updating your DNS configuration or HTTP server, use the akamai_property_domainownership_validation resource to validate your domains immediately. This skips the standard schedule of DOM background jobs (crons) and validates the domain straight away or after a short delay, depending on the number of requests in the queue.

You can validate up to 1,000 domains at once. However, for optimal performance and a smoother user experience, keep the number of domains well below this limit.

In the resource, specify the name and validation scope for each domain. Also, you can optionally specify a validation method for each one. If you don’t set a method but have completed the challenges correctly, each domain will be automatically validated.

When you create this resource with multiple domains, but some of them are already in the VALIDATED state, Terraform doesn't fail the creation, but starts tracking those domains in the resource.

resource "akamai_property_domainownership_validation" "my-validation" {
  domains = [
    {
      domain_name      = "sub.example.com"
      validation_scope = "HOST"
    },
    {
      domain_name      = "sub.example.com"
      validation_scope = "WILDCARD"
    }
  ]
}

The resource uses a polling mechanism to verify domains. The process is completed only when all domains are validated successfully. If a domain can't be validated, often because the challenge data wasn't set up correctly, you get an error. If the initial validation attempt fails, your domains remain in the VALIDATION_IN_PROGRESS status.

To check the validation statuses of your domains, run the akamai_domainownership_search_domains data source.

4. Add a hostname to a property version

Once your domains are validated, add them to the akamai_property resource and then run terraform apply to update your property.

resource "akamai_property" "my-property" {
  name          = "MyProperty"
  product_id    = "prd_Object_Delivery"
  contract_id   = "C-0N7RAC7"
  group_id      = "12345"
  rule_format   = "v2025-07-07"
  version_notes = "Sample notes"
  rules         = file("${path.root}/property-snippets/main.json")
  hostnames {
    cname_from             = "example.com"
    cname_to               = "example.com.edgekey.net"
    cert_provisioning_type = "DEFAULT"
  }
}

5. Activate your property

After validating your domains, activate your property to apply its settings to your site and its traffic. In the akamai_property_activation, specify the network of activation, STAGING or PRODUCTION, and the version you want to activate.

resource "akamai_property_activation" "my-staging-activation" {
  property_id                    = "prp_12345"
  contact                        = ["jsmith@example.com"]
  version                        = akamai_property.my_property.latest_version
  network                        = "STAGING"
  note                           = "Activating my property on staging"
  auto_acknowledge_rule_warnings = false
}

Other actions

Invalidate a domain

You can invalidate a domain with the akamai_property_domainownership_validation resource by removing its entry when it's no longer needed. For example, when you lose ownership of the domain or deactivate a property.

To retrieve an invalidated domain:

Re-add it to the akamai_property_domainownership_domains resource.
Set up new challenge data via a DNS or HTTP server.
Resubmit it for validation with the akamai_property_domainownership_validation resource.

Delete a domain

You can delete a domain from the akamai_property_domainownership_domains resource. If the domain is in the VALIDATED status and you want to remove it from the resource, Terraform first invalidates that domain.

If you want to use the deleted domain again:

Re-add it to the akamai_property_domainownership_domains resource.
Set up new challenge data via a DNS or HTTP server.
Resubmit it for validation with the akamai_property_domainownership_validation resource.

Import domains

When working with existing domains, you can import them.

Get a list of domains with the akamai_property_domainownership_domains data source to find the domains you want to import.
Export existing domains by passing a list of domains provided as a domain_name or domain_name:validation_scope separated by a comma in the export-domainownership command.
```
akamai terraform export-domainownership <domain_name>[:validation_scope][,<domain_name>[:validation_scope]...]
```
Notes:
- Each domain with a validation scope must exist as an FQDN (fully qualified domain name) for the export to succeed.
- If a domain doesn't have a validation scope, it should match only one type: HOST, DOMAIN, or WILDCARD.
- Domains with a domain status other than VALIDATED are exported as commented out for the akamai_property_domainownership_validation resource.
- You can export up to 1,000 domains at once.
- The names of the exported Terraform resources are taken from the first domain in the list. If that domain contains invalid characters, these characters are replaced with underscores in the resources’ names.
Run the included import script (import.sh) to populate your Terraform state and prevent Terraform from attempting to recreate your assets.

Updated about 15 hours ago

📘Beta