SaaS verification tokens

← Back to landing

Most SaaS vendors prove that you own a domain by having you publish a TXT record at the apex (e.g. google-site-verification=…). Those tokens stay in DNS long after onboarding, so by sweeping the apex TXT records of the Tranco top-1M we can map which SaaS products each domain has integrated. Unlike SPF, this catches apps that don't send mail at all (Notion, Figma, 1Password, Zoom…), which makes it an excellent complement to the SPF-based ESP map.

475,578domains with ≥1 SaaS token
distinct SaaS vendors detected
median tokens per domain
149token patterns in dictionary
2026-07-13scan date · 658,711 MX domains

1. Top SaaS vendors by verification-token count

Top 30 SaaS vendors ranked by the number of Tranco top-1M domains that publish their verification TXT.

2. SaaS density per domain

How many distinct SaaS vendors does each domain integrate? A long tail of SaaS-heavy domains tends to correlate with mid-to-large enterprises with many vendor relationships.

3. Region × vendor heatmap (top regions × top vendors)

Cell value = number of domains in that region using that vendor. Region is derived from TLD; "Global" is the bucket for gTLDs.

4. Token-only vs SPF-only Google & Microsoft adoption

A domain can publish a Google verification token (productivity: Drive, Calendar, Search Console) without routing mail through Google — and vice versa. The intersection of the two signals tells us about the depth of each integration.

Vendor Token only
(productivity / non-mail)
Both
(full integration)
SPF only
(mail-only)

Source: OpenINTEL forward-DNS Tranco snapshot (2026-07-13). Parser: parsers/saas_tokens.py. Token dictionary: dictionaries/verification_tokens.py. The dictionary is hand-curated — contributions for additional patterns are welcome. Lower-bound figures: SaaS that don't require a verification TXT (or use _-prefixed subdomains for verification) are not visible here.