Instructions for authorizing a domain using Email Validation:
Before a Certificate Authority (CA) such as Digicert, Entrust, etc.. can issue a certificate, you must prove control over the domains and any SANs (Subject Alternative Names) on the order. We refer to this process as the Domain Control Validation (DCV) process, and it is the most common method of validation.
How to Use Email as the DCV Method for a Domain?
This will vary between the certificate authorities, but for the most part. The certificate authority will send an authorization email to the registered owners of the domains listed. They can also send the authorization email to the admin, administrator, webmaster, hostmaster, and postmaster accounts for each public domain. You must then visit the link provided to you in the email and follow the instructions on the page to verify that you control the domain (e.g., click a button).
Domain validation must be completed (links clicked and actions completed on web page [e.g., button clicked]) once for each domain, for each organization associated with the domain, and for each certificate brand associated with the domain. To locate emails, search your inbox for emails from the appropriate brands and for the domain names you are trying to validate.
There are three ways Email validation is conducted:
WHOIS-based Email validation:
For the WHOIS-based method, the CA sends an authorization email to the registered owners of the public domain as shown in the domain’s WHOIS record. Registered owners of the domain can be found at http://whois.icann.org/en
If you are expecting to receive an email at an address published in your domain’s WHOIS record Please verify that your registrar/WHOIS provider is not masking, privatizing or removing that information. If they are, find out if they provide a way (e.g., anonymized email address, web form) for you to allow CAs to access your domain’s WHOIS data.
Example of a Privatized WHOIS
Constructed Email Validation (Main Alternative Method of Email Validation):
Majority of the time WHOIS – Information is privatized so authentication will not be able to find and validate the enrollee of the certificate. This is the alternative method of domain validation if the WHOIS is privatized. For the Constructed Email method, the CA sends the authorization email to five constructed email addresses for the domain: admin, administrator, webmaster, hostmaster, and postmaster @[domain_name].
Example: Admin@domain.com, Webmaster@domain.com
When you register a domain, you must provide identifying and contact information (e.g., administrative and technical contacts). Instead of using a personal email address, you can also use one of the constructed email addresses for your domain (e.g., webmaster@yourdomain.com). Using one of the constructed email addresses allows you to create a “non-expiring” email address that you can add or remove people from when necessary.
In order to verify you have control of the domain you select which one of the email alias to have the CA send the Domain Validation Control email to. If you do not have access to any of these email aliases it is best to have your email network admin create one in order to quick validate you are in control of the domain and get your SSL Certificate issued.
Example:
MX Records (Mail Exchanger Records):
Before we can successfully send an authentication email (DCV Email) to the domain owner (or domain controller), we must verify that an MX record (a resource record in the Domain Name System [DNS]) exists in the DNS records of the recipient’s domain name. The presence of valid MX records enables us to send the authentication email.
For example, you want to receive your DCV email at one of the constructed email addresses for example.com, admin@example.com. To successfully send a DCV Email to admin@example.com, we must first find an MX record for said address that identifies the server (e.g., mailhost.example.com) set up to receive the emails destined for admin@example.com.
If we find an MX record, we can successfully send a DCV email to admin@example.com. If we don’t find an MX record, no DCV email is sent because we cannot identify the proper mail server.
However, if you’re still having problems in validating your domain or need a new DCV resent, Please Contact Support.
For SSL Partner Center clients please submit a support ticket by performing the following.
- Within your SSL Partner Center Dashboard, click Support > Submit a Ticket.
- In the Submit Ticket page Related To drop down select under Order Support > Authentication.
- Supply any helpful information related to the issue.
- Click Submit.
Your Support representative can resend the DCV email to the following people:
- Registered owners of the domains listed
- The admin, administrator, webmaster, hostmaster, and postmaster accounts for each public domain
- When you receive the new DCV email, it should have the following information on it:
- The correct domain names
- A Support ID
- An embedded link used to complete the approval process (That must be clicked on)
- When you complete the email domain validation process, your DCV will be completed.
Other methods of validation:
- Website File Domain Control Validation:
This validation method requires you demonstrate control over the website content for the domain by making a file available at the file location—provided by your support representative. When a CA does a search for the specified URL on that domain, they can look for and confirm the presence of our verification token.
See Authentication/Orders Support: Domain Pre-Validation – Domain Control Validation via Website Control
- DNS TXT Validation:
With this validation method, you add a CA generated token to the domain’s DNS as a TXT record. When The CA does a search for DNS TXT records associated with the domain, they can find a record where the record’s value includes the CA verification token.
See Authentication/Orders Support: Domain Pre-Validation – DNS TXT Validation.