How can I select a different SSL certificate domain validation email?
Table of Contents
In order to issue an SSL certificate, the Certificate Authority has to validate that the issue request is legitimate, and comes from an authorized owner of the domain. This process is called domain validation.
Email-based domain validation is the most common certificate validation mechanism for domain-validated certificate orders.
This article explains how to use a different email for validating your SSL certificate order, in case your email is not visible in the list generated by the Certificate Authority.
If you are not familiar with the email validation process, please read the email validation article before proceeding to the next section.
What email can I use?
The approval email cannot be an arbitrary email such as a customer-provided email or the email in your DNSimple account.
Remember: the goal of the validation process is to ensure that the certificate is requested by someone with admin rights on the domain. Therefore, the email must publicly and inequivocally identify the customer as the owner or administrator of the domain listed in the certificate.
The approval email typically can be sent to the following addresses:
- a generic administrative email, such as
firstname.lastname@example.org(see email requirements for domain validation for the full list)
- the email address listed in the public WHOIS record for the domain
There are no other alternatives. You can’t use your account email or any other email, unless this is visible in the public WHOIS record for the domain.
Select a different validation email address
Before proceeding, take a moment to read the email requirements for domain validation to understand the goal of the certificate validation and how it works. It’s important to remember that, as described above in this article, the list of authoritative emails is generated by the Certificate Authority based on the email addresses publicly associated with the domain attached to the certificate.
If you want to submit your certificate to the Certificate Authority for approval but none of the provided email addresses are working, then you have a few options:
Temporarily configure one of the email addresses in the list (either as a full mailbox or as an alias/forward to an existing mailbox). If the domain doesn’t have any email service associated and you manage the DNS with us, you can use our email forwarding service to quickly create an email for
email@example.com forward it to a personal or private email.
If you want to use the email associated with the domain, but it is not visible, make sure you have the whois privacy temporarily turned off for the domain.
If you want to use the email associated with the domain, the whois privacy is off but the email is still not visible, run a WHOIS query for the domain and make sure the email is visible in the WHOIS record. If it’s not, then you cannot use that email.
Some registries (such as the .IO, .UK, .BR) do not disclose registrant email therefore it’s not possible to select the registrant email for a certificate purchased for one of these TLDs. In this case, you will have to use one of the other solutions above.
If you want to use a different email address either from the same domain or a different one, update the WHOIS record for the domain to include the email address in at least one of the WHOIS contact (e.g. registrant/owner, technical contact or admin contact). Once updated, run a WHOIS query for the domain and make sure the email is visible in the WHOIS record. If it’s not, then you cannot use that email.
Email validation and GDPR
Due to the new privacy rules enacted by GDPR on May 25th 2018, most registrars are now hiding or masking email addresses in the WHOIS records. This prevents the Certificate Authority from being able to verify you are in control of the domain to issue your certificate.
As a result, you can no longer use a custom email address listed in the WHOIS to validate a certificate if the registrar/registry doesn’t disclose the contact information.