Skip to main content

Email-based DCV methods

Using the email-based domain control validation (DCV) methods consists of two steps. With this domain control validation method, the hardest part is setting up the email contact.

  1. Set up the email contact one time.

    DigiCert recommends using a distribution list rather than a personal email address. A distribution list allows you to create a "non-expiring" email address to which you can add or remove people as needed.

  2. An email recipient responds to the confirmation email to show control over the domain.

    Allowlists: DigiCert sends the confirmation email from no-reply@digitalcertvalidation.com. If using allowlists, make sure to include digitalcertvalidation.com.

DigiCert supports three email-based domain control validation (DCV) methods. When validating a domain using these DCV methods, make sure to select the Verification email DCV method.

Vulnerable to industry change

The email-based DCV methods are the most vulnerable to future industry changes (TLS certificate baseline requirements). When industry requirements change, you must use another DCV method. For example, the industry ended support for WHOIS-based DCV email method in May 2025. Learn more about the end of life for WHOIS-based DCV methods.

Acronyms used in this article: Domain Name System (DNS), Transport Layer Security (TLS), organization validation (OV), extended validation (EV), domain validation (DV), text (TXT), Certification Authority Authorization (CAA)

Email to DNS TXT record contact

DigiCert sends the approval email to the DNS TXT record email address on the _validation-contactemail subdomain of the domain being validated. To use the DCV method, you must have access and permission to modify the domain's DNS records.

Configure your CertCentral Email DCV method to send the approval email to the address specified in the DNS TXT record

  1. Place the DNS TXT record on the _validation-contactemail subdomain of the domain you want to validate.

    The RDATA value of this text record must be a valid email address with no additional padding or structure.

    Name

    Time to live (TTL)

    Message

    _validation-contactemail

    Default

    validatedomain@digicerttest.com

  2. Update your CertCentral account settings to send the verification DCV emails to Org/Tech/Admin contacts from DNS TXT.

    1. In CertCentral, in the left menu, go to Settings > Preferences.

      You must be an administrator to view and update the Preferences page.

    2. On the Preferences page, select Advanced Settings.

    3. In the Domain Control Validation (DCV) section under Send verification DCV emails to, select Org/Tech/Admin contacts from DNS TXT.

    4. Go to the bottom of the page and select Save Settings.

What's next

The next time you select the Verification email DCV method, CertCentral sends the approval email to the contact listed in the DNS TXT record. A domain is validated when an email recipient uses the link in the email and follows the instructions on the domain approval page.

Email to DNS CAA record contact

DigiCert sends an authorization email to the address in the domain's DNS CAA record. To use the DCV method, you must have access and permission to modify the domain's DNS record.

Configure your CertCentral Email DCV method to send the approval email to the addresses specified in the DNS CAA record

  1. Add a contact email to your domain’s CAA record with no additional padding or structure.

  2. Update your CertCentral account settings to send the verification DCV emails to Org/Tech/Admin contacts from DNS CAA.

    1. In CertCentral, in the left menu, go to Settings > Preferences.

      You must be an administrator to view and update the Preferences page.

    2. On the Preferences page, select Advanced Settings.

    3. In the Domain Control Validation (DCV) section under Send verification DCV emails to, select Org/Tech/Admin contacts from DNS TXT.

      The Org/Tech/Admin contacts from DNS TXT option applies to both DNS TXT record contact and DNS CAA record contact.

    4. Go to the bottom of the page and select Save Settings.

What's next

The next time you select the Verification email DCV method, CertCentral sends the approval email to the contact listed in the DNS CAA record. The domain is validated when an email recipient uses the link in the email and follows the instructions on the domain approval page.

Email to constructed email

DigiCert sends the authorization email to five constructed email addresses for the domain: admin, administrator, webmaster, hostmaster, and postmaster @[domain_name]. To use the DCV method, you must have access and permission to modify the domain's DNS record. See the MX records (mail exchanger records) section in this article.

Configure your CertCentral Email DCV method to send the approval email to a constructed email address

  1. Set up an MX record for [domain_name].

    If we can't find an MX record for [domain_name], you must use another supported DCV method to demonstrate your control over the domain.

  2. Update your CertCentral account settings to send the verification DCV emails to a constructed email.

    1. In CertCentral, in the left menu, go to Settings > Preferences.

      You must be an administrator to view and update the Preferences page.

    2. On the Preferences page, select Advanced Settings.

    3. In the Domain Control Validation (DCV) section under Send verification DCV emails to, select the constructed emails you set up: admin@, administrator@, hostmaster@, postmaster@, or webmaster@.

    4. Go to the bottom of the page and select Save Settings.

What's next

The next time you select the Verification email DCV method, CertCentral sends the approval email to the selected constructed emails. A domain is validated when an email recipient uses the link in the email and follows the instructions on the domain approval page.

MX records (mail exchanger records)

While registering a domain, you must provide contact information, like administrative and technical contacts. Instead of using a personal email address, you can use one of the constructed email addresses for your domain, such as webmaster@yourdomain. Using a constructed email address allows you to create a "non-expiring" email address from which you can add or remove people if necessary.

To send a DCV approval email to the domain contact, DigiCert must verify that an MX record exists in the domain's DNS. A valid MX record identifies the mail server responsible for receiving emails for that domain and allows the approval email to be delivered.

For example, you want DigiCert to send the DCV email to a constructed address, such as admin@example.com. To send this email, DigiCert must first confirm that an MX record for example.com exists, identifying the server configured to receive mail for that address.

Resources

In this section: