diff --git a/CODEOWNERS b/CODEOWNERS
index bd6678fa17..10f4f1e335 100644
--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -1,4 +1,7 @@
# These owners will be the default owners for everything in the repo. Unless a later match takes precedence, @pantheon-systems/docs-admins, as primary maintainers will be requested for review when someone opens a Pull Request.
# Additional code owners can be added for specific paths.
# For more information about CODEOWNERS files, refer to https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
-* @pantheon-systems/docs-admins
\ No newline at end of file
+* @pantheon-systems/docs-admins
+
+# The Platform-Edge-Routing team is responsible for connecting custom domains to Pantheon
+source/content/guides/domains/ @pantheon-systems/platform-edge-routing
diff --git a/source/content/custom-certificates.md b/source/content/custom-certificates.md
index 6192e7e2e1..48f77295d8 100644
--- a/source/content/custom-certificates.md
+++ b/source/content/custom-certificates.md
@@ -82,8 +82,6 @@ As an alternative, you can also submit the certificate bundle to Pantheon Suppor
Next, [add the domain to your environment](/guides/domains).
- If you are presented with the option to **Verify your domain to provision HTTPS**, skip the verification by clicking **Skip to updating DNS**.
-
Once the certificate is in place, you will see the following under **Details** for your domain(s):
diff --git a/source/content/dns-providers/namecheap.md b/source/content/dns-providers/namecheap.md
index 2e27bd395a..f0da113e81 100644
--- a/source/content/dns-providers/namecheap.md
+++ b/source/content/dns-providers/namecheap.md
@@ -33,8 +33,6 @@ When entering the value for the Name/Host, the bare domain and trailing dot ("."
After completing the fields on the page, click **Verify Ownership**.
-You can click **Skip without HTTPS** to skip verification. By skipping, vistors to your site will receive a browser warning until Pantheon automatically provisions HTTPS, which can take approximately one hour after going live.
-
## Configure DNS Records on Namecheap
### A Record
diff --git a/source/content/guides/domains/05-custom-domains.md b/source/content/guides/domains/05-custom-domains.md
index 37653b7397..c1c165a697 100644
--- a/source/content/guides/domains/05-custom-domains.md
+++ b/source/content/guides/domains/05-custom-domains.md
@@ -53,9 +53,15 @@ Note that each custom domain is counted regardless of the environment to which i
1. Select the method you prefer, and follow the instructions. Note that the values are randomized for security.
-1. Click **Verify Ownership** to confirm, or to skip HTTPS provisioning for now, click **Skip without HTTPS**:
+1. Click **Verify Ownership** to confirm:
- 
+
+
+ If you have a wildcard domain pointed at Pantheon and you have a valid use case to skip this verification for your sub-domains (although it is recommended to prevent domain takeovers), you may request an exemption to skip the verification by contacting Pantheon Support via chat or [ticket](/guides/support/support-ticket/).
+
+
+
+ 
It might take 30 minutes or more for DNS records to propagate, depending on your DNS host and your domain's TTL values. If you encounter issues after 30 minutes, check some of the following:
@@ -77,6 +83,31 @@ Note that each custom domain is counted regardless of the environment to which i
- Note that if the Platform detects a CNAME record, the **Status** will show `Remove this detected record` on the line with the CNAME. Remove the CNAME from the DNS management service to avoid potential issues or interruptions.
+## FAQ
+### I have existing custom domains which were previously connected and launched prior to the enforcement of Domain Verification, will those be impacted?
+No. Any custom domains previously added or launched will not require explicit domain verification. However, if any of those domains are deleted by the customer and then re-added, the process of re-addition (whether to the same environment or any other environment) will trigger domain verification.
+
+### Is pre-provisioning HTTPS now a requirement to connect a custom domain?
+Yes. Skipping HTTPS provisioning is no longer an option.
+
+
+### Is Wild Card DNS routing supported by Domain Verification?
+Pantheon does not allow wild card domains to be directly added as a custom domain. Customers may point wildcard domains (eg: *.example.com) in their own DNS to Pantheon, but are still required to have specific domains (eg: mysite.example.com) added and connected to specific environments on Pantheon.
+
+### How can I know which domains are still pending ownership verification ?
+For any domain that has been added that is pending verification, clicking on the "Details" button in the Domains list page for that domain will take you to another page where you can put in the information required to verify ownership for that domain. If the ownership of the domain has been already verified, the detail page will instead show the DNS records you need to update in your authoritative DNS to point to Pantheon, as well as the status of HTTPS provisioning. In other words, if your domain is not verified, we will require you to provide the necessary information to verify ownership first.
+
+You can get a high-level status view for all custom domains connected to a given environment via Terminus using the [`domain:dns` command](/terminus/commands/domain-dns). Domains that are pending verification will have the "pending verification" status returned as part of the Terminus `domain:dns` command.
+
+### Can I opt-out of Domain Verification for a given custom domain?
+We do not recommend opting out of domain verification for custom domains because it increases the risk of domains being taken over or hijacked. If you have a specific reason to exclude domains from domain verification (for example, for subdomains belonging to a WordPress Multisite for which domain verification is not feasible for a specific reason) you may reach out to Pantheon Support via chat or [ticket](/guides/support/support-ticket/)
+
+
+### Can I opt-out of Domain Verification for all domains connected to a given site, or across a given professional workspace?
+We do not provide such an opt-out mechanism by default. If you have a specific reason to exclude domains from domain verification (for example, for subdomains belonging to a WordPress Multisite for which domain verification is not feasible for a specific reason) you may reach out to Pantheon Support via chat or [ticket](/guides/support/support-ticket/)
+
+
+
## More Resources
- [DNS](/guides/domains/dns)
diff --git a/source/content/guides/domains/08-domain-hijacking.md b/source/content/guides/domains/08-domain-hijacking.md
index 61072cac03..5d577db9b3 100644
--- a/source/content/guides/domains/08-domain-hijacking.md
+++ b/source/content/guides/domains/08-domain-hijacking.md
@@ -21,6 +21,8 @@ Domain Name Server (DNS) hijacking is a type of DNS attack in which bad actors s
## How to Avoid DNS Hijacking
+Pantheon requires you to validate ownership of your custom domains at the time of adding domains to Pantheon sites. For the specific steps on adding custom domains, see [Add a Custom Domain](/guides/domains/custom-domains#add-a-custom-domain). Validating ownership (which is now enforced) would ensure that your custom domains will not be taken over by bad actors.
+
### Clear DNS Records Before Removing Unused Subdomains
When removing unused sites, delete the corresponding A or CNAME records with your DNS provider.
@@ -45,4 +47,4 @@ Open a chat or [ticket](/guides/support/support-ticket/) to report a subdomain t
- [Enforce HTTPS + HSTS](/pantheon-yml#enforce-https--hsts)
- [Secure Development on Pantheon](/guides/secure-development)
-- [Pantheon Security](/guides/security)
\ No newline at end of file
+- [Pantheon Security](/guides/security)
diff --git a/source/content/guides/getstarted/08-launch.md b/source/content/guides/getstarted/08-launch.md
index c1d3848fd3..9541bb4503 100644
--- a/source/content/guides/getstarted/08-launch.md
+++ b/source/content/guides/getstarted/08-launch.md
@@ -47,7 +47,7 @@ After you've done that, connect your DNS:
1. Verify ownership by adding a new DNS TXT value or by uploading a file to a specific URL. Select the method you prefer, and follow the instructions. Note that the values are randomized for security.
-1. Click **Verify Ownership** to confirm, or to skip HTTPS provisioning for now, click **Skip without HTTPS**. It can take 30 minutes or more for DNS records to propagate, depending on your DNS host and your domain's TTL values.
+1. Click **Verify Ownership** to confirm. It can take 30 minutes or more for DNS records to propagate, depending on your DNS host and your domain's TTL values.
1. Open a new tab or browser window, and copy the **Required Values** to your [DNS](/guides/domains/dns) provider. If you see a message like "Waiting for HTTPS, DNS records will be provided when HTTPS provisioning completes.", wait one minute, then refresh the page.
@@ -79,4 +79,4 @@ You can run diagnostics at [Let's Debug](https://letsdebug.net/) if you are havi
-Your site is now live at the domain you have purchased!
\ No newline at end of file
+Your site is now live at the domain you have purchased!
diff --git a/source/content/guides/launch/04-domains.md b/source/content/guides/launch/04-domains.md
index 6d0ca155f3..7479b83a79 100644
--- a/source/content/guides/launch/04-domains.md
+++ b/source/content/guides/launch/04-domains.md
@@ -34,7 +34,13 @@ The steps below will guide you through the process of migrating a site onto Pant
1. Verify ownership by adding a new DNS TXT value or by uploading a file to a specific URL. Select the method you prefer, and follow the instructions. Note that the values are randomized for security.
-1. Click **Verify Ownership** to confirm, or to skip HTTPS provisioning for now, click **Skip without HTTPS**.
+1. Click **Verify Ownership** to confirm.
+
+
+
+ If you have a wildcard domain pointed at Pantheon and you have a valid use case to skip this verification for your sub-domains (although it is recommended to prevent domain takeovers), you may request an exemption to skip the verification by contacting Pantheon Support via chat or [ticket](/guides/support/support-ticket/).
+
+
It can take 30 minutes or more for DNS records to propagate, depending on your DNS host and your domain's TTL values. If you encounter issues after 30 minutes, check the following:
diff --git a/source/images/dashboard/verify-domain-with-remove-button.png b/source/images/dashboard/verify-domain-with-remove-button.png
new file mode 100644
index 0000000000..f1de58b477
Binary files /dev/null and b/source/images/dashboard/verify-domain-with-remove-button.png differ