AWS Certificate Manager
User Guide (Version 1.0)

Configure Email for Your Domain

After you have registered a domain name, use your registrar's website to associate your contact addresses with it. The registrar enters the contact email addresses into the WHOIS database and enters one or more mail servers into the mail exchanger (MX) records of a DNS server. ACM sends validation email to the contact addresses and to five common administrative addresses formed from your MX record. ACM sends up to eight validation emails every time you create a new certificate, renew a certificate, or request new validation mail. The validation email contains instructions for confirming that the domain owner or an appointed representative approves of the ACM Certificate. For more information about validation, see Validate Domain Ownership. If you have trouble with validation email, see Troubleshoot Email Problems.

WHOIS Database

The WHOIS database contains contact information for your domain. To validate your identity, ACM sends an email to the following three addresses in WHOIS. You must make sure that your contact information is public or that email that is sent to an obfuscated address is forwarded to your real email address.

  • Domain registrant

  • Technical contact

  • Administrative contact

MX Record

When you register your domain, your registrar sends your mail exchanger (MX) record to a Domain Name System (DNS) server. An MX record indicates which servers accept mail for your domain. The record contains a fully qualified domain name (FQDN). You can request a certificate for apex domains or subdomains.

For example, if you use the console to request a certificate for, ACM first tries to find the MX record for that subdomain. If that record cannot be found, ACM performs an MX lookup for If that record cannot be found, ACM performs an MX lookup for If that record cannot be found or there is no MX record, ACM chooses the original domain for which the certificate was requested ( in this example) and sends email to the following five common system administration addresses for the domain or subdomain.

  • administrator@your_domain_name

  • hostmaster@your_domain_name

  • postmaster@your_domain_name

  • webmaster@your_domain_name

  • admin@your_domain_name

If you are using the RequestCertificate API or the request-certificate AWS CLI command, AWS does not perform an MX lookup. Instead, RequestCertificate allows you to specify both your domain name and the name of a validation domain. If you specify the optional ValidationDomain parameter, AWS sends the preceding five emails there rather than to your domain.

ACM always sends validation email to the five common addresses listed above whether you are using the console, the API, or the AWS CLI. However, AWS performs an MX lookup only when you use the console to request a certificate.

On this page: