Using Email to Validate Domain Ownership
Before the Amazon certificate authority (CA) can issue a certificate for your site, AWS Certificate Manager (ACM) must verify that you own or control all of the domains that you specified in your request. You can perform verification using either email or DNS. This topic discusses email validation. For information about DNS validation, see Using DNS to Validate Domain Ownership.
Email-validated certificates are renewable, but must be re-issued with a new domain validation after 825 days.
If you encounter problems using email validation, see Troubleshoot Email Validation Problems.
Validation applies only to public certificates issued by AWS Certificate Manager (ACM). ACM does not validate domain ownership for imported certificates or for certificates signed by a private CA.
Public ACM certificates can be installed on Amazon EC2 instances that are connected to a Nitro Enclave, but not to other Amazon EC2 instances. For information about setting up a stand-alone web server on an Amazon EC2 instance not connected to a Nitro Enclave, see Tutorial: Install a LAMP web server on Amazon Linux 2 or Tutorial: Install a LAMP web server with the Amazon Linux AMI.
ACM sends email messages to the three contact addresses listed in the WHOIS database and to five common system addresses for each domain that you specify. That is, up to eight email messages will be sent for every domain name and subject alternative name that you include in your request. For example, if you specify only one domain name, you will receive up to eight email messages. To validate, you must act on one of these eight messages within 72 hours. If you specify three domain names, you will receive up to 24 messages. To validate, you must act on at least three of these emails, one for each name that you specified, within 72 hours.
Email messages are sent to the following three registered contact addresses in WHOIS:
-
Domain registrant
-
Technical contact
-
Administrative contact
Some registrars allow you to hide your contact information in your WHOIS listing, and others allow you to substitute your real email address with a privacy (or proxy) address. To prevent problems with receiving the domain validation email from ACM, ensure that your contact information is visible in WHOIS. If your WHOIS listing shows a privacy email address, ensure that email sent to that address is forwarded to your real email address. Or simply list your real email address instead.
If you use the console to request a certificate, ACM performs an MX lookup to
determine which servers accept email for your domain and sends mail to the following
five common system addresses for first domain found. If you use the RequestCertificate API or the
request-certificate
AWS CLI command, ACM does not perform an MX lookup. Instead, it sends email to
the
domain name you specify in the DomainName
parameter or in the optional
ValidationDomain
parameter. For more information, see MX Record.
-
administrator@
your_domain_name
-
hostmaster@
your_domain_name
-
postmaster@
your_domain_name
-
webmaster@
your_domain_name
-
admin@
your_domain_name
For more information about how ACM determines the email addresses for your domains, see (Optional) Configure Email for Your Domain.
There is an exception to the process described above. If you request an ACM
certificate for a domain name that begins with www
or a wild
card asterisk (*
), ACM removes the leading
www
or asterisk and sends email to the administrative
addresses. These addresses are formed by prepending admin@, administrator@,
hostmaster@, postmaster@, and webmaster@ to the remaining portion of the domain
name. For example, if you request an ACM certificate for www.example.com, email
is
sent to admin@example.com rather than to admin@www.example.com. Likewise, if you
request an ACM certificate for *.test.example.com, email is sent to
admin@test.example.com. The remaining common administrative addresses are similarly
formed.
Ensure that email is sent to the administrative addresses for an apex domain, such
as example.com
, rather than to the administrative addresses for a
subdomain, such as test.example.com
. To do that, specify the
ValidationDomain
option in the RequestCertificate API or
the request-certificate AWS CLI command. This feature is not currently
supported when you use the console to request a certificate.
Even when all messages are sent to a single email address, you must respond to one message for each domain or subdomain in order to validate it and generate the certificate.