Troubleshoot email validation problems - AWS Certificate Manager

Troubleshoot email validation problems

Consult the following guidance if you are having trouble validating a certificate domain with email.

Not receiving validation email

When you request a certificate from ACM and choose email validation, domain validation email is sent to three contact addresses specified in WHOIS and five common administrative addresses. For more information, see Email validation. If you are experiencing problems receiving validation email, review the suggestions that follow.

Where to look for email

Validation email is sent to contact addresses listed in WHOIS and to common administrative addresses for the domain. Email is not sent to the AWS account owner unless the owner is also listed as a domain contact in WHOIS. Review the list of email addresses that are displayed in the ACM console (or returned from the CLI or API) to determine where you should be looking for validation email. To see the list, click the icon next to the domain name in the box labeled Validation not complete.

The email is marked as spam

Check your spam folder for the validation email.

GMail automatically sorts your email

If you are using GMail, the validation email may have been automatically sorted into the Updates or Promotions tabs.

The domain registrar does not display contact information or privacy protection is enabled

In some cases, the domain registrant, technical, and administrative contacts in WHOIS may not be publicly available, and AWS therefore cannot reach these contacts. At your discretion, you can choose to configure your registrar to list your email address in WHOIS, although not all registrars support this option. You may be required to make a change directly at your domain's registry. In other cases, the domain contact information may be using a privacy address, such as those provided through WhoisGuard or PrivacyGuard.

For domains purchased from Route 53, privacy protection is enabled by default and your email address is mapped to a whoisprivacyservice.org, contact.gandi.net, or identity-protect.org email address. Ensure that your registrant email address on file with your domain registrar is up to date so that the email sent to these obscured email addresses can be forwarded to an email address that you control.

Note

Privacy protection for some domains that your purchase with Route 53 will be enabled even if you choose to make your contact information public. For example, privacy protection for the .ca top level domain cannot be programmatically disabled by Route 53. You must contact the AWS Support Center and request that privacy protection be disabled.

If email contact information for your domain is not available through WHOIS, or if email sent to the contact information does not reach the domain owner or an authorized representative, we recommend that you configure your domain or subdomain to receive email sent to one or more of the common administrative addresses formed by prepending admin@, administrator@, hostmaster@, webmaster@, and postmaster@ to the requested domain name. For more information about configuring email for your domain, see the documentation for your email service provider and follow the instructions at (Optional) Configure email for your domain. If you are using Amazon WorkMail, see Working with Users in the Amazon WorkMail Administrator Guide.

After making available at least one of the eight email addresses to which AWS sends validation email and confirming that you can receive email for that address, you are ready to request a certificate through ACM. After you make a certificate request, ensure the intended email address appears in the list of email addresses in the AWS Management Console. While the certificate is in the Pending validation state, you can expand the list to view it by clicking the icon next to the domain name in the box labeled Validation not complete. You can also view the list in Step 3: Validate of the ACM Request a Certificate wizard. The listed email addresses are the ones to which email was sent.

Missing or incorrectly configured MX records

An MX record is a resource record in the Domain Name System (DNS) database that specifies one or more mail servers that accept email messages for your domain. If your MX record is missing or misconfigured, email can not be sent to any of the five common system administration addresses specified at Email validation. Fix your missing or misconfigured MX record and try to resend the email or request your certificate again.

Note

Currently, we recommend that you wait at least one hour before attempting to resend the email or requesting your certificate.

Note

To bypass requiring an MX record, you can use the ValidationDomain option in the RequestCertificate API or the request-certificate AWS CLI command to specify the domain name to which ACM sends validation emails. If you use the API or the AWS CLI, AWS does not perform an MX lookup.

Contact the Support Center

If, after reviewing the preceding guidance, you still don't receive the domain validation email, please visit the AWS Support Center and create a case. If you don't have a support agreement, post a message to the ACM Discussion Forum.

Email sent to subdomain

If you are using the console and request a certificate for a subdomain name such as sub.test.example.com, then ACM checks to see if there is an MX record for sub.test.example.com. If not, then the parent domain test.example.com is checked, and so on, up to the base domain example.com. If an MX record is found, the search stops and a validation email is sent to the common administration addresses for the subdomain. So for example, if an MX record is found for test.example.com, email is sent to admin@test.example.com, administrator@test.example.com, and the other administrative addresses specified in Email validation. If an MX record is not found in any of the subdomains, email is sent to the subdomain that you originally requested the certificate for. For a thorough discussion of how to set up your email and how ACM works with DNS and the WHOIS database, see (Optional) Configure email for your domain.

Instead of using the console, you can use the ValidationDomain option in the RequestCertificate API or the request-certificate AWS CLI command to specify the domain name to which ACM sends validation emails. If you use the API or the AWS CLI, AWS does not perform an MX lookup.

Hidden contact information

A common problem occurs when you attempt to create a new certificate. Some registrars allow you to hide your contact information in your WHOIS listing. Others allow you to substitute your real email address with a privacy (or proxy) address. This prevents you from receiving validation email at your registered contact addresses.

To receive mail, ensure that your contact information is public in WHOIS, or if your WHOIS listing shows a privacy email address, ensure that email sent to the privacy address is forwarded to your real email address. After your WHOIS setup is complete and as long as your certificate request has not timed out, you can choose to resend the validation email. ACM performs a new WHOIS/MX lookup and sends validation email to your now public contact address.

Certificate renewals

If you made your WHOIS information public when you requested a new certificate and then later obfuscated your information, ACM cannot retrieve your registered contact addresses when you attempt to renew your certificate. ACM sends validation email to these contact addresses and to five common administrative addresses formed by using your MX record. To address this problem, make your WHOIS information public again and resend the validation emails. ACM performs a new WHOIS/MX lookup and sends validation email to your now public contact addresses.

WHOIS throttling

Sometimes ACM is unable to contact the WHOIS server even after you have sent multiple requests for validation email. This problem is external to AWS. That is, AWS does not control the WHOIS servers and cannot prevent WHOIS server throttling. If you experience this problem, create a case at the AWS Support Center for help with a workaround.

Persistent initial timestamp for email validation

The timestamp of a certificate's first email-validation request persists through later requests for validation renewal. This is not evidence of an error in ACM operations.

Troubleshoot problems with the .IO top-level domain

The .IO top-level domain is assigned to the British Indian Ocean Territory. Currently, the domain registry does not display your public information from the WHOIS database. This is true whether you have privacy protection for the domain enabled or disabled. Registrars may display this information in their own WHOIS outputs if privacy protection is disabled, but this practice varies between registrars. ACM is unable to send validation email to the following three registered contact addresses if they are not available from the registrar in WHOIS.

  • Domain registrant

  • Technical contact

  • Administrative contact

ACM does, however, send validation email to the following five common system addresses where your_domain is the domain name you entered when you initially requested a certificate and .io is the top level domain.

  • administrator@your_domain.io

  • hostmaster@your_domain.io

  • postmaster@your_domain.io

  • webmaster@your_domain.io

  • admin@your_domain.io

To receive validation mail for an .IO domain, make sure that you have one of the preceding five email accounts enabled. If you do not, you will not receive validation email and you will not be issued an ACM certificate.

Note

We recommend that you use DNS validation rather than email validation. For more information, see DNS validation.

I can't switch to DNS validation

After you create a certificate with email validation, you cannot switch to validating it with DNS.