SSL Certificate email-based Domain Validation

Table of Contents


In order to issue an SSL certificate, the Certificate Authority has to validate the authenticity of the certificate order to ensure the request is legitimate and comes from an authorized owner of the domain. This process is called domain validation.

The goal of validation is to ensure the authenticity of a certificate order before issuing a new certificate. Specifically, before issuing the certificate, the Certificate Authority must be sure the domain listed in the certificate is registered and someone with admin rights is aware of and approves the certificate request.

Email-based domain validation is the most common certificate validation mechanism for domain-validated certificate orders. The certificate authority compiles a list of public emails associated with the domain, using common administrative emails (e.g. admin or webmaster), in combination with the public whois data for the domain.

The domain validation is a mandatory step, the Certificate Authority will not issue the certificate if the order has not been validated.

The Certificate Authority only uses public information, therefore it’s not possible to use your account email to perform the validation, unless the email is publicly associated to the domain in the WHOIS record.

The process

The email validation process consists of a few steps:

  1. When you purchase a certificate, we show you a list of authoritative emails identified by the Certificate Authority for the domain associated with the certificate
  2. You select an email from the list.
  3. The Certificate Authority sends a verification email (also called DCV email) to the recipient with an unique link to approve the certificate and validate your domain ownership.
  4. You click on the link to validate and approve the certificate. At this point, the certificate’s authenticity is validated and the authority will generate it.

Email requirements

The approval email cannot be an arbitrary email such as a customer-provided email or the email in your DNSimple account.

Remember: the goal of the validation process is to ensure that the certificate is requested by someone with admin rights on the domain. Therefore, the email must publicly and inequivocally identify the customer as the owner or administrator of the domain listed in the certificate.

The approval email typically can be sent to the following addresses, called administrative emails:

  • admin@example.com
  • administrator@example.com
  • hostmaster@example.com
  • postmaster@example.com
  • webmaster@example.com

Where example.com is the domain for the certificate being purchased.

Alternatively, the approval email can be sent to a different email address only if this is listed in the WHOIS information for the domain. In fact, this is the only way for the Certificate Authority to determine if an email is officially associated with a domain.

Email validation and WHOIS privacy

Whois Privacy Protection services are known to interfere with the delivery of the approval email. Be sure to temporarily disable the Whois Privacy feature or any another privacy protection service until the certificate is issued.

If the whois privacy is enabled for the domain associated with the certificate, the privacy email (e.g. wqyygglqlt@whoisprivacyprotect.com) will be included in the list of possible emails to be used. However, it’s not guaranteed that the delivery will be successful and DNSimple has no control over the delivery of the validation email.

Disable any whois privacy service before proceeding.

Once you disable whois privacy it may take up to 24 hours for the email list to be refreshed, as the Certificate Authority may cache that information.

Select the validation email address

You select the validation email when you purchase the certificate. You can use one of the emails available in the list displayed in the configuration page, selected by the Certificate Authority and based upon the constraints documented above. What if the validation email you want to use is not included in this list?

To select a validation email
  1. Read the list of all available approver emails.

  2. Choose the email address you want to use by clicking on it.
  3. Click Send Approver Email to configure and submit the certificate for validation.

If the approver is not in this list or you need time to configure one of those emails, you can also close this page and come back later.

To select a validation email for a previously purchased certificate
  1. Log into DNSimple with your user credentials.
  2. Click on your avatar on the top-right, and on the drop-down menu select the account.
  3. On the top-nav menu click the tab, locate the relevant domain and click on the name to access the domain page.
  4. Scroll down to the list and click on the certificate.

  5. Click .

  6. Read the list of all available approver emails.

  7. Choose the email address you want to use by clicking on it.
  8. Click to configure and submit the certificate for validation.

Change the validation email address

If you selected an incorrect email recipient, you can request the email to be changed as long as the email address meets the requirements described above.

The certificate must be in the submitted state. If instead you still need to submit the certificate and the email address you want to use doesn’t snow up in the list, then follow the instructions to select a different email.

To change the approval email
  1. Read the requirements for the email address and make sure the recipient you want to use follow these rules.

  2. Contact us to change the approver email. Make sure you provide the fully-qualified certificate name (eg. www.example.com, *.example.com) and the new email address to use.

Resend the validation email

If you haven’t received the validation email, for example because the email configuration was incorrect at the time of the submission, you can request the email to be resent.

To resend the validation email
  1. Log into DNSimple with your user credentials.
  2. Click on your avatar on the top-right, and on the drop-down menu select the account.
  3. On the top-nav menu click the tab, locate the relevant domain and click on the name to access the domain page.
  4. Scroll down to the list and click on the certificate.

  5. At the page, on the status line, look for the link to resend the approval email.

    If the link is not present, it means the certificate is in a status where the email cannot be resent (e.g. a not submitted or expired certificate).

  6. Click the link and follow the procedure described in the page.