SSL Certificate email-based Domain Validation

Table of Contents


In order to issue an SSL certificate, the Certificate Authority has to validate the authenticity of the certificate order to ensure the request is legitimate and comes from an authorized owner of the domain. This process is called domain validation.

The goal of validation is to ensure the authenticity of a certificate order before issuing a new certificate. Specifically, before issuing the certificate, the Certificate Authority must be sure the domain listed in the certificate is registered and someone with admin rights is aware of and approves the certificate request.

Email-based domain validation is the most common certificate validation mechanism for domain-validated certificate orders. The certificate authority compiles a list of public emails associated with the domain, using common administrative emails (e.g. admin or webmaster), in combination with the public WHOIS data for the domain.

The domain validation is a mandatory step, the Certificate Authority will not issue the certificate if the order has not been validated.

The Certificate Authority only uses public information, therefore it’s not possible to use your account email to perform the validation, unless the email is publicly associated to the domain in the WHOIS record.

The process

The email validation process consists of a few steps:

  1. When you purchase a certificate, we show you a list of authoritative emails identified by the Certificate Authority for the domain associated with the certificate
  2. You select an email from the list.
  3. The Certificate Authority sends a verification email (also called DCV email) to the recipient with a unique link to approve the certificate and validate your domain ownership.
  4. You click on the link to validate and approve the certificate. At this point the certificate’s authenticity is validated and the authority will generate it.

Email requirements

The approval email cannot be an arbitrary email such as a customer-provided email or the email in your DNSimple account.

The goal of the validation process is to ensure that the certificate is requested by someone with admin rights on the domain. Therefore, the email must publicly and unequivocally identify the customer as the owner or administrator of the domain listed in the certificate.

The approval email typically can be sent to the following addresses, called administrative emails:

  • admin@example.com
  • administrator@example.com
  • hostmaster@example.com
  • postmaster@example.com
  • webmaster@example.com

Where example.com is the domain for the certificate being purchased.

Email validation and WHOIS privacy

Whois Privacy Protection services are known to interfere with the delivery of the approval email. Be sure to temporarily disable the Whois Privacy feature or any another privacy protection service until the certificate is issued.

If the Whois Privacy is enabled for the domain associated with the certificate, the privacy email (e.g. wqyygglqlt@whoisprivacyprotect.com) will be included in the list of possible emails to be used. However, it’s not guaranteed that the delivery will be successful and DNSimple has no control over the delivery of the validation email.

Disable any whois privacy service before proceeding.

Once you disable Whois Privacy it may take up to 24 hours for the email list to be refreshed, as the Certificate Authority may cache that information.

Email validation and GDPR

Due to the new privacy rules enacted by GDPR on May 25th 2018, most registrars are now hiding or masking email addresses in the WHOIS records. This prevents the Certificate Authority from being able to verify you are in control of the domain to issue your certificate.

As a result, you can no longer use a custom email address listed in the WHOIS to validate a certificate. You will have to use one of the administrative emails provided by the Certification Authority.

Select the validation email address

You select the validation email when you purchase the certificate. You can use one of the emails available in the list displayed in the configuration page, selected by the Certificate Authority and based upon the constraints documented above. What if the validation email you want to use is not included in this list?

To select a validation email
  1. Read the list of all available approver emails.

  2. Choose the email address you want to use by clicking on it.
  3. Click Send Approver Email to configure and submit the certificate for validation.

If the approver is not in this list or you need time to configure one of those emails, you can also close this page and come back later.

To select a validation email for a previously purchased certificate
  1. Log into DNSimple with your user credentials.
  2. If you have more than one account, select the relevant one.
  3. On the header click the tab, locate the relevant domain and click on the name to access the domain page.
  4. Scroll down to the list and click on the certificate.

    Locating your certificate

  5. Click .

  6. Read the list of all available approver emails.

  7. Choose the email address you want to use by clicking on it.
  8. Click to configure and submit the certificate for validation.

Change the validation email address

If you selected an incorrect email recipient, you can request the email to be changed as long as the email address meets the requirements described above.

The certificate must be in the submitted state. If instead you still need to submit the certificate and the email address you want to use doesn’t show up in the list, then follow the instructions to select a different email.

To change the approval email
  1. Read the requirements for the email address and make sure the recipient you want to use follow these rules.

  2. Contact us to change the approver email. Make sure you provide the fully-qualified certificate name (e.g. www.example.com, *.example.com) and the new email address to use.

Resend the validation email

If you haven’t received the validation email, for example because the email configuration was incorrect at the time of the submission, you can request the email to be resent.

To resend the validation email
  1. Log into DNSimple with your user credentials.
  2. If you have more than one account, select the relevant one.
  3. On the header click the tab, locate the relevant domain and click on the name to access the domain page.
  4. Scroll down to the list and click on the certificate.

    Locating your certificate

  5. At the page, on the status line, look for the link to resend the approval email.

    Resending your approval email

    If the link is not present, it means the certificate is in a status where the email cannot be resent (e.g. a not submitted or expired certificate).

  6. Click the link and follow the procedure described in the page.