To get started with Account Governance, add a TXT record to your DNS settings so 1Password can safely transfer credential ownership from team members to administrators. This is required only once for your domain. If you haven’t added a TXT record yet, you’ll be guided through the steps in 1Password SaaS Manager when you take ownership of an account.
DNS and verification data
When you set up Account Governance in 1Password SaaS Manager, your device generates a new public/private keyset. 1Password uses the private key to sign group encryption keys used during the credential transfer process and the public key to verify their signatures. During setup, 1Password provides your public key as a DNS TXT record value, and you publish it in your domain’s DNS records. This makes your domain the source of truth for the verification key that 1Password clients trust.
When a 1Password client needs to use group encryption keys, it downloads the group encryption keys and their signatures from 1Password servers and independently retrieves the public verification key from your domain. The client uses the public key to cryptographically verify that the server-provided data matches what you published during setup, confirming the group encryption keys are authentic and unmodified.
1Password designed key verification to rely on DNS because DNS is infrastructure that you or a trusted third-party control. By keeping the verification key out of 1Password infrastructure, 1Password clients can verify group encryption keys and take specific actions independently of the influence of 1Password servers, even in the event of a server compromise. This design prevents 1Password, or an attacker with access to its infrastructure, from changing which keys clients trust.
Protecting DNS lookups
1Password clients use DNS-over-HTTPS to protect the security and privacy of DNS lookups required for key verification. DNS-over-HTTPS encrypts DNS queries using HTTPS and authenticates public DNS resolvers using publicly issued TLS certificates. This means 1Password clients connect only to the intended DNS resolvers and observation or modification of DNS responses is prevented. This approach prevents network-level observers or attackers from learning which domains are being queried and limits visibility of your information or 1Password account configuration to the DNS resolver.
1Password clients always query multiple independent public DNS resolvers. This reduces reliance on any single provider and strengthens resistance to outages, compromises, and coercion. Because DNS resolvers operate independently, in different geographic regions and legal jurisdictions, a temporary outage or failure at one provider doesn’t disrupt key verification. Requiring agreement across multiple DNS resolvers also increases resistance to advanced threat actors and legally coerced attacks by preventing any single entity from influencing verification results.
As of December 2025, 1Password clients use four public resolvers across the regions where 1Password operates.