What is Domain Control Validation?

SSL certificates are issued to one or more domain names. It's the job of the Certification Authority (CA) that eventually signs the cert to verity that the entity requesting a cert (you) has the right to use the domains in the cert. For example, if you want to buy a cert for, say, www.yahoo.com, you'd have to prove that you currently own and have control over the yahoo.com domain. This proof is called Domain Control Validation, or DCV.

How is Domain Control Validation Proved?

DCV is proved by one of three methods:

  1. Approval Email
  2. Adding a DNS TXT  Record (used by GeoTrust and Symantec CAs)
  3. Adding a DNS CNAME  Record (used by Comodo CA)

In this article we discuss DCV by Approval Email.

DCV by Approval Email

You can prove domain ownership if you can receive an email from the CA (GeoTrust, Comodo, DigiCert) to any email address associated with your domain's WHOIS record (harder to do these days with GDRP in effect) or to one of five pre-approved generic email addresses. The generic emails are admin, administrator, hostmaster, webmaster and postmaster @YOUR-DOMAIN.COM (the domain in your certificate request, not your personal email). CAs are not permitted to send DCV emails to any other addresses (doing so could result in the CA being flagged and distrusted in popular browsers... they're not going to do it).

Changing and Re-sending DCV Emails

You can change and/or re-send the DCV email to one of the approved emails by logging in to your GeoCerts SSL Manager account and selecting Action > Change/Re-send. You can also contact us and we'd be happy to help you understand your DCV options.

Wanna Test an Email Address?

You think you have one of the generic email boxes setup and ready to go, but do you really? Sometimes sending yourself a test email requires jumping through hoops. Don't do that.

A couple of tools to check your MX email server

Setting Up Email Aliases and Forwarding

It's perfectly fine to set up an email alias that forwards to your regular email address. For example, you can configure an email alias hostmaster@example.com to forward to jane.doe@example.com. As long as you can respond to the link in the DCV approval email from the CA it doesn't matter how it makes its way to you.

Other DCV Options are Available

If DCV via challenge email won't work for you there are other approved options available. If you have management control over the DNS records for domain in the certificate request you can create a DNS TXT or CNAME record with a unique code to demonstrate and prove domain control. Just login to your GeoCerts account to make the change.

Learn more about these other DCV methods to prove domain control:

  • Adding a DNS TXT  Record (used by GeoTrust and Symantec CAs)
  • Adding a DNS CNAME  Record (used by Comodo CA)

Please contact our support team if you have any additional problems or questions.

Oct 30, 2018 Scott Rogers