AT Protocol handles are domains. Two verification methods: a DNS TXT record (e.g. _atproto.<domain>) or a file at a well-known HTTPS path; both must return the account's DID. An early bug: when the HTTP method launched, someone verified as Amazon by creating an S3 bucket named to match and serving the required file. The fix tightened it to the well-known path. Using a recognizable domain (e.g. cnn.com) doubles as self-verification since only that organization could publish the record.