Configure Email for Your Domain
After you have registered a domain name, use your registrar's website to associate your contact addresses with it. The registrar enters the contact email addresses into the WHOIS database and enters one or more mail servers into the mail exchanger (MX) records of a DNS server. ACM sends validation email to the contact addresses and to five common administrative addresses formed from your MX record. ACM sends up to eight validation emails every time you create a new certificate, renew a certificate, or request new validation mail. The validation email contains instructions for confirming that the domain owner or an appointed representative approves of the ACM Certificate. For more information about validation, see Validate Domain Ownership.
The WHOIS database contains contact information for your domain. To validate your identity, ACM sends an email to the following three addresses in WHOIS. You must make sure that your contact information is public or that email that is sent to an obfuscated address is forwarded to your real email address.
When you register your domain, your registrar sends your mail exchanger (MX) record to a Domain Name System (DNS) server. An MX record indicates which servers accept mail for your domain. The record contains a fully qualified domain name (FQDN). You can request a certificate for apex domains or subdomains.
For example, if you request a certificate for abc.xyz.example.com, ACM first tries to find the MX record for that subdomain. If that record cannot be found, ACM performs an MX lookup for xyz.example.com. If that record cannot be found, ACM performs an MX lookup for example.com. If that record cannot be found or there is no MX record, ACM chooses the original domain for which the certificate was requested (abc.xyz.example.com in this example) and sends email to the following five common system administration addresses for the domain or subdomain.
ACM always sends validation email to the five common addresses listed above.
Troubleshooting Validation Email
Consult the following topics if you have problems with your validation email.
New Certificate Requests
A common problem occurs when you attempt to create a new certificate. Some registrars allow you to hide your contact information in your WHOIS listing. Others allow you to substitute your real email address with a privacy (or proxy) address. This prevents you from receiving validation email at your registered contact addresses.
To receive mail, ensure that your contact information is public in WHOIS, or if your WHOIS listing shows a privacy email address, ensure that email sent to the privacy address is forwarded to your real email address. After your WHOIS setup is complete and as long as your certificate request has not timed out, you can choose to resend the validation email. ACM performs a new WHOIS/MX lookup and sends validation email to your now public contact address.
A related problem occurs during the renewal process. If you made your WHOIS information public when you requested a new certificate and then later obfuscated your information, ACM cannot retrieve your registered contact addresses when you attempt to renew your certificate. ACM sends validation email to these contact addresses and to five common administrative addresses formed by using your MX record. To address this problem, make your WHOIS information public again and resend the validation emails. ACM performs a new WHOIS/MX lookup and sends validation email to your now public contact addresses.
Sometimes ACM is unable to contact the WHOIS server even after you have sent multiple requests for validation email. This problem is external to AWS. That is, AWS does not control the WHOIS servers and cannot prevent WHOIS server throttling. If you experience this problem, contact AWS Support to help you with a workaround.