Domain Control Validation by DNS TXT Method

With this DCV method, you prove domain control by adding a hash string token as a TXT record to the domain's DNS namespace. The CA periodically checks your domain's DNS looking for the correct token.

How to set up DCV to DNS TXT Token method

  1. Locate the pending order in your account. Click on a domain in the 'You Need To..." section.

  2. In the DCV Method dropdown choose DNS TXT Token. Copy the Token string. Note: The unique token expires after thirty days. 

  3. Add a DNS TXT record to your domain. Below is an example of AWS Route 53 DNS.

    1. In the Host field leave the host field blank or use the @ symbol to indicate that you want to create a TXT record at the base domain level (e.g., not
    2. In the Value field paste the TXT token string you copied from the previous step.
    3. Save the TXT record.

      Tip: If you are not able to add the token value to your base domain's DNS record because it already has a TXT record you can create a new TXT record and enter _dnsauth (include the leading underscore) as the host value rather than leaving it blank. The CA will look for the token at and

  4. Check your live DNS record for propagation.

    Use Google Admin Toolbox Dig to test your new DNS TXT record. If you don't see the token value it's either not set up correctly or the record has not propagated yet. Note the TTL and check again later. 

    Tip: Use can also use What's My DNS to verify that your new TXT record has propagated globally. Depending on the TTL value it may take some time to show up.
  5. Check DCV approval. 

    Once you're sure that your new DNS TXT record is set up properly and has propagated globally, go back to step 2 above and click the CHECK button. 

    If the correct DNS TXT record is located, that domain will show as checked-off and approved. Repeat for all domains on the certificate order.

Please contact our support team if you have any additional problems or questions.