Home The Sell Sider CNAME Will Face The Same Fate As Third-Party Cookies. Then What?
OPINION: The Sell Sider

CNAME Will Face The Same Fate As Third-Party Cookies. Then What?

By AdExchanger Guest Columnist

SHARE:
Kevin Mullen, chief product officer at Roq.ad
Kevin Mullen Chief Product Officer

The Sell Sider” is a column written by the sell side of the digital media community.

Today’s column is written by Kevin Mullen, chief product officer at Roq.ad.

Update 1/19/23: This column originally named a company in a hypothetical example about how CNAME is used for identity resolution. Since that company doesn’t actually use CNAME, that company name has been updated to “IDco.”

We know the third-party cookie apocalypse is coming. Good. Cookie syncs are a pain.

One alternative approach is called domain sharing or CNAME access. Some of the largest, most well-established “universal identity” providers are relying on CNAME to magically transform a third-party cookie on a user’s browser into a first-party cookie.

CNAME was originally built to support single sign-on (SSO) tools, such as OneLogin and Okta, to allow a user to log in to multiple systems automatically. Until a couple of years ago, they were the only ones that used CNAME.

If you work for a company that supports SSO, you might notice that your initial login screen is actually on a page listed as “salesforce.okta.com.” That way, Okta can get full access to the browser and is able to log in the user to Salesforce securely. 

But with the rise of universal ID providers, there has been growing recognition that CNAME could fill the gap created by the loss of third-party cookies as a way to distribute those “universal IDs.” 

There’s a problem, though: CNAME access is likely to be deprecated, and it might happen quite soon – maybe even before third-party cookies are deprecated.

If CNAME access and third-party cookies go away, identity companies – and most of their clients and partners – are going to get hurt. 

Badly.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

Daily Roundup

Daily News Roundup

The Things We Carry; Tick Tock, We’re Waiting

The DL on CNAME

How exactly is CNAME access (aka domain sharing) used for identity resolution? 

Let’s say I’m the head of digital marketing at sfgate.com and I need identity resolution to serve relevant ads, so I go with an identity provider I’ll call IDco.
  1. I give IDco access with a redirect.
  2. I redirect everyone who lands on my site “idco.sfgate.com.” This gives IDco first-party cookie access.
  3. IDco can now read and write cookies because it “owns” the domain. (IDco can even read the third-party cookie they dropped six weeks ago.)
  4. IDco can read and write and distribute its IDco ID to sfgate.com.
  5. My site (sfgate.com) can continue to use the IDco ID in the bidstream.

Everyone is happy, right? 

But what some folks call “CNAME access,” other folks call “CNAME cloaking.”

WebKit, an open source web content engine that builds browser tools (and is the basis for Apple’s Safari browser), says they’ve built a way to give single sign-on providers access to the cookie store without using CNAME.

The new method uses third-party cookies instead, but only if the user is engaging with their login tool via the iframe that’s on that page.

WebKit’s proposal effectively removes the need for CNAME in the context of SSO. Why? Ask yourself: Who are the only other people using CNAME? 

Ad tech companies! Specifically, universal identity providers.

If the browser makers no longer need CNAME for SSO, do you think they’ll allow ad tech vendors to use it for their own purposes?

Actually, we don’t have to wonder, because Mozilla and Google have already told us they intend to close loopholes that allow the use of CNAME in passing universal IDs.

A rocky road ahead

Unless identity providers start making plans and building new features now, they’re in trouble. If there is no way to distribute those universal IDs to publishers, they will start slowly losing their universal ID audience as cookies churn and people get new devices.

And with no way to distribute the universal IDs to the new devices, the data pool passing through the bidstream will fall, too, generating less value for DSPs and advertisers … and, eventually, collapsing all of those universal identity players. 

Their publisher partners must succeed at getting email addresses directly if they want to survive. But most publishers won’t be able to get the logins and the emails they need, at least not at scale.

Outside of probabilistically matching IDs using machine learning, no one has an answer for what happens if (or, rather, when) CNAME goes away. That is why the time to start making plans for third-party cookie-less and CNAME-less identity resolution is now.

Follow Roq.ad (@Roqad_official) and AdExchanger (@adexchanger) on Twitter.

For more articles featuring Kevin Mullen, click here.

Must Read

Comic: No One To Play With
Privacy

Google Pulls The Plug On Topics, PAAPI And Other Major Privacy Sandbox APIs (As The CMA Says ‘Cheerio’)

Google’s aborted cookie crackdown ends with a quiet CMA sign-off and a sweeping phaseout of Privacy Sandbox technologies, from the Topics API to PAAPI.

Platforms

The Trade Desk’s Auction Evolutions Bring High Drama To The Prebid Summit

TTD shared new details about OpenAds features that let publishers see for themselves whether it’s running a fair auction. But tension between TTD and Prebid hung over the event.

Monopoly Man looks on at the DOJ vs. Google ad tech antitrust trial (comic).
antitrust

How Google Stands In The DOJ’s Ad Tech Antitrust Suit, According To Those Who Tracked The Trial

The remedies phase of the Google antitrust trial concluded last week. And after 11 days in the courtroom, there is a clearer sense of where Judge Leonie Brinkema is focused on, and how that might influence what remedies she put in place.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Marketers

The Ad Context Protocol Aims To Make Sense Of Agentic Ad Demand

The AI advertising agents will need their own trade group eventually. For now though, a bunch of companies are forming the Ad Context Protocol, or AdCP.

Digital Out-Of-Home

OUTFRONT Is Using Agencies’ AI Enthusiasm To Spur Wider Programmatic OOH Adoption

The desire for a data-driven reinvention of OOH inspired OUTFRONT to create agentic AI tools for executing and measuring OOH campaigns and comparing OOH to other channels.

Publishers

Inside PubDesk, The Trade Desk’s New Dashboard That Shows What Buyers Actually Care About

A peek inside PubDesk, The Trade Desk’s new dashboard that gives sellers detailed info on how buyers value their inventory.

Popular

  1. Comic: No One To Play With
    Privacy

    Google Pulls The Plug On Topics, PAAPI And Other Major Privacy Sandbox APIs (As The CMA Says ‘Cheerio’)

    Google’s aborted cookie crackdown ends with a quiet CMA sign-off and a sweeping phaseout of Privacy Sandbox technologies, from the Topics API to PAAPI.

  2. Comic: In The Media Mix
    Marketers

    MMM Isn’t As Scary As Marketers Think – But You’ve Got To Do It Right

    Deli meat company Land O’Frost has been leaning into a new MMM approach to figure out which opportunities it’s been overlooking – or even inhibiting.

  3. Marketers

    The Ad Context Protocol Aims To Make Sense Of Agentic Ad Demand

    The AI advertising agents will need their own trade group eventually. For now though, a bunch of companies are forming the Ad Context Protocol, or AdCP.

  4. Platforms

    The Trade Desk’s Auction Evolutions Bring High Drama To The Prebid Summit

    TTD shared new details about OpenAds features that let publishers see for themselves whether it’s running a fair auction. But tension between TTD and Prebid hung over the event.

  5. PODCAST: The Big Story

    Prebid, Meet OpenAds

    Shortly after Trade Desk CEO Jeff Green said the DSP would splinter off from Prebid, he showed up at the Prebid Summit. Then, at ScreenShift, we learn what the TV industry thinks about AI.