On this page+
The actual work of setting up a custom branded short domain is one DNS record plus a settings change. Most of the time spent is waiting for DNS to propagate. The procedure is the same on Trakl, Bitly, Rebrandly, Short.io, and Dub, with minor variations in the target hostname.
Here is the procedure, the gotchas, and the test sequence to confirm it worked.
Step-by-step setup
- 01
Register the domain.
Namecheap, Cloudflare Registrar, or Porkbun. The exact registrar barely matters for shortener use. Cloudflare Registrar is cheapest for renewals because it charges at-cost. - 02
Find your shortener's CNAME target.
Each shortener tells you the target hostname to point your domain at. For Trakl, the target lives in the Pro tier custom-domain settings panel. For Bitly, it is in the Bitly account settings. The target hostname is provider-specific. - 03
Add a CNAME record at your DNS provider.
Type: CNAME. Name: @ (or 'apex' or just leave blank for the root). Target: the hostname your shortener gave you. TTL: 3600 (or auto). Save. - 04
Add the apex record if needed.
Some DNS providers do not allow CNAME on the root (the apex). In that case, you need an A or ALIAS record on the apex pointing to the shortener's IP, plus a CNAME for any subdomain. Cloudflare's CNAME flattening handles this transparently. AWS Route 53 has ALIAS records. Most modern DNS supports apex CNAME via flattening. - 05
Add the domain in the shortener.
Paste yourdomain.co into the shortener's custom-domain field. The shortener verifies DNS, kicks off SSL provisioning. Status moves from pending to active. - 06
Wait for SSL.
5 to 30 minutes for the certificate to issue. Refresh the status. Once active, the domain works. - 07
Test with one link.
Create a new short link in the shortener using the custom domain. Open it in an incognito window. Confirm it redirects correctly to your destination. Confirm the URL bar shows HTTPS with no warning. Confirm a hard refresh still works (no caching surprises).
That is it. From domain purchase to working short link, the elapsed time is about an hour, of which roughly five minutes is hands-on.
The four gotchas to avoid
1. Cloudflare flexible SSL mode.
If your DNS is on Cloudflare and you have Cloudflare's SSL mode set to "Flexible," your custom short domain will redirect through Cloudflare's edge with HTTP between Cloudflare and your shortener. Modern browsers flag this as insecure or block the redirect entirely. Slack's link unfurler refuses to preview these links.
The fix: Cloudflare → SSL/TLS → Set encryption mode to "Full (strict)." This is the correct mode for any modern web traffic that uses HTTPS end to end.
2. AAAA records pointing somewhere stale.
If you previously had the same domain pointing at a different service, leftover A or AAAA records can override your CNAME. DNS resolves to the most specific match. If you added a CNAME at the apex but an old A record still exists, the A record wins. Delete all old records before adding the CNAME.
3. CAA records that exclude your shortener's certificate authority.
A CAA (Certification Authority Authorization) record on your domain restricts which CAs can issue certificates for it. If you have a CAA record specifying only "letsencrypt.org" but your shortener uses Sectigo or DigiCert, the SSL provisioning fails silently.
The fix: either remove the CAA record, or add the CAs your shortener uses. Trakl uses Let's Encrypt; most modern shorteners do.
4. DNS provider TTL set absurdly high.
Some DNS providers default to 24-hour TTL, which means changes take a full day to propagate globally. Lower the TTL to 3600 (1 hour) before making the CNAME change, then raise it back to 86400 once the domain is stable. This shortens your debugging cycle if the first attempt does not work.
What to test once SSL is active
Three tests, in order:
- Direct in incognito. Open
https://yourdomain.co/<a-known-short-slug>in a private window. It should redirect to the destination. The URL bar should show a green padlock or "secure" indicator. - In a feed unfurl. Paste the short link into Slack, Notion, or any service that shows link previews. The preview should render correctly. If Slack refuses to unfurl, you have a TLS issue (most likely Cloudflare flexible mode).
- In an SMS message. If you plan to use SMS, send yourself one. Check whether the carrier (T-Mobile, Verizon, AT&T) blocks the message. Some still flag generic shorteners; branded domains usually pass. If yours does not, the domain reputation needs to build up over time, or the TLD is on a blocklist.
Picking the right TLD for a custom domain
Three good options:
.co(Colombia, but globally treated as a.comsubstitute). $20 to $30 per year. Reads as a business domain..link($10 per year). Designed for shorteners. Some spam filters score it slightly lower than .co or .com, but the gap has narrowed..io($30 to $40 per year). Reads as a tech-brand domain. Common in SaaS.
Avoid .click, .top, .xyz, .biz, .work, .gay. Higher spam-filter scores and lower CTR.
For a country-coded option, your country's ccTLD (.de, .uk, .com.au) works locally but reads less universally. If your audience is one country, this is fine. If your audience is global, stick to .co or .link.
What if my shortener does not support custom domains?
A few free or cheap shorteners do not support custom domains at all (TinyURL Free, the no-account form on Bitly). These are fine for personal use. For marketing, the upgrade path is to a tier that does support custom domains: Trakl Pro ($29/month), Bitly Core, Rebrandly's paid tiers, Short.io's free tier (one custom domain included), or Dub's free tier.
The piece on Bitly alternatives compares the custom-domain support across the major shorteners.
Domain hygiene over time
Two long-running concerns once the domain is live:
- Renewal. Set auto-renew at the registrar. Add the renewal date to a shared calendar. A lapsed branded short domain takes every link with it, which is a much worse outage than running out of postage.
- Slug uniqueness. As your team creates more vanity slugs, name collisions get more likely. A team norm: check the existing slug list before claiming a new vanity. Most shorteners (including Trakl) block duplicates server-side, but a soft-check by hand prevents the awkward "Oh, that's already in use" moment in a campaign brief review.
For the broader case for branded short links, the branded short links guide covers the math. For the case against custom slugs, vanity vs generic slugs is the read.
Frequently filed
Common questions.
Q.01How long does it take to set up a custom short domain?+
20 to 60 minutes, of which most is waiting for DNS to propagate and SSL to provision. The actual hands-on work is one CNAME record at your DNS provider plus pasting the domain into your shortener's settings.
Q.02Do I need a separate domain or can I use a subdomain of my main site?+
Either works. A separate domain is shorter (acme.co vs go.acme.com) and avoids any conflict with your main site's CDN or routing. A subdomain saves the cost of a second registration. Most marketing teams go with a separate, shorter domain for the brevity gain.
Q.03Why does my custom domain say "not secure" after setup?+
SSL certificate provisioning is asynchronous and takes 5 to 30 minutes after the CNAME record is in place. If it has been longer than that, the most common cause is using Cloudflare's "flexible" SSL mode, which conflicts with your shortener's HTTPS. Switch to "full (strict)" mode to fix.
By the byline
Trakl TeamEditorial team
We build Trakl, a link shortener and UTM tracker for marketing teams. We write here from the cleanup work, support tickets, and campaign reviews that fill the rest of our week. Specifics over slogans, and we cite the source.
Photo: Pietro Jeng on Unsplash
