(Optional) Configure email for your domain - AWS Certificate Manager

(Optional) Configure email for your domain


The following steps are required only if you use email validation to assert that you own or control the FQDN (fully qualified domain name) specified in your certificate request. ACM requires that you validate ownership or control before it issues a certificate. You can use either email validation or DNS validation. For more information about email validation, see Email validation.

If you are able to edit your DNS configuration, we recommend that you use DNS domain validation rather than email validation. DNS validation removes the need to configure email for the domain name. For more information about DNS validation, see DNS validation.

Use your registrar's website to associate your contact addresses with your domain name. The registrar adds the contact email addresses to the WHOIS database and adds one or more mail servers to the mail exchanger (MX) records of a DNS server. If you choose to use email validation, ACM sends email to the contact addresses and to five common administrative addresses formed from your MX record. ACM sends up to eight validation email messages every time you create a new certificate, renew a certificate, or request new validation mail. The validation email contains instructions for confirming that the domain owner or an appointed representative approves the ACM Certificate. For more information, see Email validation. If you have trouble with validation email, see Troubleshoot email validation problems.

WHOIS database

The WHOIS database contains contact information for your domain. To validate your identity, ACM sends an email to the following three addresses in WHOIS. You must make sure that your contact information is public or that email that is sent to an obfuscated address is forwarded to your real email address.

  • Domain registrant

  • Technical contact

  • Administrative contact

MX record

When you register your domain, your registrar sends your mail exchanger (MX) record to a Domain Name System (DNS) server. An MX record indicates which servers accept mail for your domain. The record contains a fully qualified domain name (FQDN). You can request a certificate for apex domains or subdomains.

For example, if you use the console to request a certificate for abc.xyz.example.com, ACM first tries to find the MX record for that subdomain. If that record cannot be found, ACM performs an MX lookup for xyz.example.com. If that record cannot be found, ACM performs an MX lookup for example.com. If that record cannot be found or there is no MX record, ACM chooses the original domain for which the certificate was requested (abc.xyz.example.com in this example). ACM then sends email to the following five common system administration addresses for the domain or subdomain:

  • administrator@your_domain_name

  • hostmaster@your_domain_name

  • postmaster@your_domain_name

  • webmaster@your_domain_name

  • admin@your_domain_name


You can override the domain to which your validation messages are sent. If you use the ResendValidationEmail API operation or the resend-validation-email AWS CLI command, AWS does not perform an MX lookup. Instead, you provide both your registered domain name and the name of a custom validation domain, and AWS sends the preceding five email messages to the validation domain rather than to your registered domain.

ACM always sends validation email to the five common addresses listed previously whether you are using the console, the API, or the AWS CLI. However, AWS performs an MX lookup only when you use the console to request a certificate.

If you do not receive validation email, see Not receiving validation email for information about possible causes and workarounds.