When you set up a custom domain as your Bluesky handle, the platform must verify that you control the domain. If verification fails, Bluesky displays the error “Invalid Handle” and reverts your display name to the default username.bsky.social format. This problem usually occurs because the required DNS TXT record is missing, incorrect, or not yet propagated across the internet. This article explains the exact cause of the verification failure and provides the step-by-step steps to resolve it.
Key Takeaways: Fix Invalid Handle for Bluesky Custom Domain
- DNS TXT record at
_atproto.<yourdomain.com>: Bluesky reads this record to confirm domain ownership; a missing or mistyped record causes the Invalid Handle error. - DNS propagation delay: Changes to TXT records can take up to 48 hours to spread; checking too early shows the error.
- Bluesky Settings > Account > Handle: The menu where you enter the custom domain and trigger re-verification after DNS is updated.
Why Bluesky Shows Invalid Handle for a Custom Domain
Bluesky uses a decentralized protocol called AT Protocol. When you assign a custom domain as your handle, Bluesky does not store your domain. Instead, it reads a DNS TXT record that you must publish at a specific subdomain: _atproto.yourdomain.com. This record contains a string that proves you control the domain.
If the TXT record is missing, contains a typo, or points to the wrong value, Bluesky cannot verify ownership. The system then marks the handle as invalid and reverts to the default username.bsky.social handle. DNS propagation delays also cause a temporary Invalid Handle state even when the record is correct.
What the AT Protocol DNS Record Looks Like
The exact TXT record format required is:
Host: _atproto.yourdomain.com TXT Value: did=did:plc:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
The did= prefix and the full DID string must match exactly what Bluesky provides in your account settings. A missing colon, extra space, or wrong DID string will cause the Invalid Handle error.
Steps to Fix the Invalid Handle Error
Follow these steps in order. Do not skip the DNS propagation check.
- Log in to your DNS provider
Open the control panel for the domain registrar or DNS hosting service where your domain is managed. Common providers include Cloudflare, GoDaddy, Namecheap, Google Domains, and AWS Route 53. - Locate the DNS management section
Find the area labeled DNS Records, Zone File, or Advanced DNS. The exact name varies by provider. - Delete any existing
_atprotoTXT record
If you previously attempted this setup, remove any old TXT record for the host_atproto. Stale records with wrong values prevent verification. - Add a new TXT record
Create a new record with these exact values:- Type: TXT
- Host/Name:
_atproto(or_atproto.yourdomain.comdepending on provider) - Value:
did=did:plc:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx— replace the placeholder with your actual DID - TTL: 300 (5 minutes) or the lowest value allowed for faster propagation
- Copy your Bluesky DID from the account settings
Go to Bluesky Settings > Account > Handle. Click “I have my own domain.” The page displays your DID string. Copy it exactly, including thedid:plc:prefix. - Wait for DNS propagation
DNS changes are not instant. Wait at least 15 minutes, but propagation can take up to 48 hours. To check if the record is visible globally, use a free DNS lookup tool like whatsmydns.net or dig from a terminal:dig TXT _atproto.yourdomain.com. - Return to Bluesky and trigger re-verification
In Bluesky Settings > Account > Handle, enter your full custom domain (for example,yourdomain.com). Click “Save” or “Update.” Bluesky will immediately attempt to read the TXT record. If the record is visible, your handle updates within seconds. - Confirm the handle change
Your profile page now shows the custom domain as your handle. The error message disappears. If it does not, proceed to the next section.
If Bluesky Still Shows Invalid Handle After the Main Fix
The DNS record is present but Bluesky still shows Invalid Handle
This usually means the TXT value is incorrect. Open the DNS record and compare the entire value string against the DID shown in Bluesky Settings. Common mistakes include:
- Missing the
did=prefix - Typing
did:twice (for example,did=did:did:plc:...) - Including a trailing space or newline character
- Using a different DID from an old account
Correct the record, save, wait 15 minutes, and trigger re-verification again in Bluesky Settings.
Propagation has not reached Bluesky servers
Even if a DNS lookup tool shows the record as visible from your location, Bluesky may query a different DNS resolver that has not yet updated. Wait 2 to 4 hours and try again. If the error persists after 48 hours, the record is almost certainly wrong.
You used a subdomain instead of the root domain
Bluesky supports custom domains at any level: yourdomain.com, blog.yourdomain.com, or user.yourdomain.com. However, the TXT record must be placed at the exact subdomain you intend to use. If you want the handle blog.yourdomain.com, the TXT record host must be _atproto.blog.yourdomain.com. A mismatch between the record host and the handle you enter in Bluesky Settings causes the Invalid Handle error.
Your DNS provider uses CNAME flattening or proxy
Some providers like Cloudflare offer a proxy (orange cloud) that can interfere with TXT record resolution. For the _atproto record, disable any proxy or CDN acceleration. Set the record to DNS Only (gray cloud on Cloudflare).
Bluesky Custom Domain vs Default Handle: Key Differences
| Item | Custom Domain Handle | Default bsky.social Handle |
|---|---|---|
| Format | yourdomain.com or subdomain | username.bsky.social |
| Ownership proof | DNS TXT record at _atproto subdomain | None (Bluesky owns the domain) |
| Verification failure state | Reverts to default handle | No failure possible |
| Portability | You can move your identity to another AT Protocol service | Tied to Bluesky |
| Setup time | 5 minutes plus DNS propagation | Instant |
The table above shows that a custom domain gives you identity portability but requires careful DNS management. The default handle is simpler but locks your identity to Bluesky.
You now know why the Invalid Handle error appears and how to fix it with the correct DNS TXT record. After verification, your custom domain handle remains active as long as the DNS record stays published. To avoid future issues, set a long TTL of 86400 seconds (24 hours) after the initial verification succeeds. This reduces the chance of accidental record deletion during DNS changes.