Menu
AWS Certificate Manager
User Guide (Version 1.0)

(Optional) Configure Email for Your Domain

Note

The following steps are required only if you use email validation to assert that you own or control the FQDN (fully qualified domain name) specified in your certificate request. ACM requires that you validate ownership or control before it issues a certificate. You can use either email validation or DNS validation. For more information about email validation, see Use Email to Validate Domain Ownership.

If you are able to edit your DNS configuration, we recommend that you use DNS domain validation rather than email validation. DNS validation removes the need to configure email for the domain name. For more information about DNS validation, see Use DNS to Validate Domain Ownership.

Use your registrar's website to associate your contact addresses with your domain name. The registrar adds the contact email addresses to the WHOIS database and adds one or more mail servers to the mail exchanger (MX) records of a DNS server. If you choose to use email validation, ACM sends email to the contact addresses and to five common administrative addresses formed from your MX record. ACM sends up to eight validation email messages every time you create a new certificate, renew a certificate, or request new validation mail. The validation email contains instructions for confirming that the domain owner or an appointed representative approves the ACM Certificate. For more information, see Use Email to Validate Domain Ownership. If you have trouble with validation email, see Troubleshoot Email Problems.

WHOIS Database

The WHOIS database contains contact information for your domain. To validate your identity, ACM sends an email to the following three addresses in WHOIS. You must make sure that your contact information is public or that email that is sent to an obfuscated address is forwarded to your real email address.

  • Domain registrant

  • Technical contact

  • Administrative contact

MX Record

When you register your domain, your registrar sends your mail exchanger (MX) record to a Domain Name System (DNS) server. An MX record indicates which servers accept mail for your domain. The record contains a fully qualified domain name (FQDN). You can request a certificate for apex domains or subdomains.

For example, if you use the console to request a certificate for abc.xyz.example.com, ACM first tries to find the MX record for that subdomain. If that record cannot be found, ACM performs an MX lookup for xyz.example.com. If that record cannot be found, ACM performs an MX lookup for example.com. If that record cannot be found or there is no MX record, ACM chooses the original domain for which the certificate was requested (abc.xyz.example.com in this example). ACM then sends email to the following five common system administration addresses for the domain or subdomain:

  • administrator@your_domain_name

  • hostmaster@your_domain_name

  • postmaster@your_domain_name

  • webmaster@your_domain_name

  • admin@your_domain_name

If you are using the RequestCertificate API operation or the request-certificate AWS CLI command, AWS does not perform an MX lookup. Instead, RequestCertificate lets you specify both your domain name and the name of a validation domain. If you specify the optional ValidationDomain parameter, AWS sends the preceding five email messages there rather than to your domain.

ACM always sends validation email to the five common addresses listed previously whether you are using the console, the API, or the AWS CLI. However, AWS performs an MX lookup only when you use the console to request a certificate.

On this page: