// Trust & routing
Your domain. Your gallery.
A custom domain is one of the quietest trust signals in client delivery: the URL bar matches the brand clients already know from invoices, contracts, and Instagram bios. Holdstill maps your hostname to gallery routing with automatic TLS provisioning, renewal monitoring, and diagnostics that translate DNS jargon into actionable steps. We treat hostname hygiene as ongoing stewardship, not a one-time checkbox: expiry windows, certificate transparency logs, and redirect loops are monitored so small regressions do not compound into client-facing embarrassment. When your registrar changes portals or silently tightens CAA policies, our diagnostics highlight the delta in language you can forward to IT, and we keep previous successful record sets on file so comparisons do not rely on memory after a long travel week. If you operate multiple environments — production, preview, marketing — we colour-code bindings in the workspace so humans never approve a certificate for the wrong stack during a late-night renewal. We also surface benign double-issuance noise so you do not wake the whole studio when someone clicks renew twice in the registrar UI. We maintain a living playbook of registrar quirks our team has seen in the wild. This page covers why domains matter for phishing resistance, how we handle apex versus subdomain choices, certificate lifecycle, performance and caching headers, EU data residency interplay, multi-environment studios, rollback strategies, and support expectations when registrars misbehave.
01Why custom domains matter beyond vanity
Guests receive dozens of vendor links during a wedding season. A consistent hostname trains them to recognise legitimate communications and reduces successful phishing that impersonates generic file hosts. Corporate clients increasingly ask for named subdomains in security questionnaires; answering “yes” with a clean TLS posture is faster than attaching screenshots of browser trust chains every quarter.
02Subdomain versus apex trade-offs
Most studios choose galleries.yourstudio.com because it isolates gallery traffic from marketing CMS changes and simplifies certificate issuance. Apex domains (yourstudio.com) are supported where DNS providers allow ALIAS/ANAME patterns or proxied fronts; we document the exact records per registrar because ambiguity here causes the most support churn. We help you pick a structure that survives future marketing site migrations without breaking client bookmarks.
03TLS issuance, renewal, and transparency
Certificates are provisioned automatically once DNS propagates correctly. We monitor expiry windows and re-issue before deadlines even when CAs change root bundles. HTTP Strict Transport Security can be enabled with sensible max-age defaults once you confirm no legacy HTTP dependencies remain. We log issuance events so enterprise security teams can reconcile against their SIEM if required.
04DNS records explained plainly
You will see CNAME or ALIAS targets, occasional TXT challenges for ownership verification, and optional CAA records if your security policy constrains which CAs may issue. Our UI shows live resolution checks from multiple vantage points so you know whether the issue is TTL lag or a typo. We never ask for your registrar password — ownership stays yours.
05Performance, CDN, and caching
Custom domains ride the same global edge and image optimisation stack as on-platform hostnames; we do not silently downgrade you to a slower tier. Cache headers respect gallery updates so clients see fresh selects without you flushing CDN paths manually. Large originals still download efficiently; previews stay snappy on mobile networks common at venues.
06EU residency and data location promises
Mapping a custom domain does not relocate processing to opaque jurisdictions. Our EU hosting commitments remain in force; the hostname is routing and presentation, not a data laundering trick. DPIA text you attach to clients can reference the same subprocessors as before, with the addition of your branded hostname as a client-visible endpoint.
07Email alignment and deliverability
Branded domains in the gallery URL bar pair well with SPF, DKIM, and DMARC policies on your sending domain. We do not send email from your custom gallery hostname without separate configuration — that separation avoids accidental spam reputation bleed — but we document how to align headers and footer copy so clients perceive one brand system.
08Multi-studio and white-label considerations
Studios with multiple trading names can map additional hostnames where plans allow, each with isolated default branding presets. Permissions ensure only authorised seats approve new domain bindings. If you operate franchise-style brands, we help you avoid accidental cross-tenant routing during DNS cutovers.
09Cutover planning and rollback
We recommend low-TTL rehearsal windows, staged traffic shifts, and explicit rollback triggers if marketing teams need to revert quickly. Holdstill keeps previous bindings in history so you can restore known-good states without opening a panic thread. Migration concierge can own this choreography if your calendar is unforgiving.
10Monitoring and incident response
Automated probes detect certificate failures, misconfigured redirects, and mixed-content warnings that undermine trust. Alerts route to your workspace contacts with suggested remediation copy for registrars. We publish status updates during platform-wide events so you are not guessing whether a spike in errors is local DNS or upstream.
11Security boundaries
Custom domains do not grant elevated access to other tenants. Hostname verification is mandatory before we serve traffic; we reject typosquatting attempts that do not prove control. If a domain lapses at your registrar, we detach routing safely to prevent hijackers from serving content under your former trust signal.
12Support and realistic timelines
Most setups complete within hours once DNS is correct; global TTL propagation can stretch longer. Email hello@holdstill.app with your intended hostname, registrar name, and whether you need apex or subdomain. Attach any corporate security questionnaire early — we answer technical items candidly so procurement does not become a surprise gate after you have already promised clients a date.
13Canonical hostnames, www, and redirect hygiene
Search engines and bookmarks care whether you standardise on www or bare hostnames. We help you pick a canonical pattern and issue predictable 301 chains so duplicate content signals do not split ranking between variants. Mixed-case hostnames and accidental double slashes in marketing PDFs are normalised defensively where safe so clients land on the same trusted URL every time.
14Certificate transparency logs and proactive anomaly detection
Public certificate transparency logs help the ecosystem catch mis-issuance early. We monitor CT streams relevant to your hostnames and alert if an unexpected certificate appears outside our controlled issuance pipeline — a strong signal of registrar compromise or DNS hijack in progress. Combined with redirect-loop detection and mixed-content sentries, you get defence in depth beyond a green padlock icon. None of this replaces your own security hygiene, but it narrows the window where an attacker could convincingly impersonate your delivery domain before you notice.