Support Desk

  1. Support Desk
  2. Domain Control Validation

Domain Control Validation by DNS TXT Method

Domain Control Validation (DCV) is a required step before an SSL/TLS certificate can be issued. When you choose the DNS TXT Token method, you prove control of your domain by publishing a unique TXT record in your domain’s DNS.

This guide walks you through how to complete DCV using the DNS TXT Token method for GeoTrust and DigiCert certificates.

Note: The DNS TXT Token method is not supported for Sectigo or PositiveSSL certificates. Use DNS CNAME for those products instead.

Step 1: Locate the Pending Order

  1. Log in to your GeoCerts account.
  2. Locate your pending certificate order.
  3. In the "You Need To..." section, click the link to prove control over domains.
    DCV Step 1
  4. For each domain listed, choose DNS TXT Token from the DCV Method dropdown menu.

    5. DCV Step 2
  5. Copy the unique TXT Token provided.
    Note: This token expires after 30 days. Complete validation before it expires.

Step 2: Add the TXT Record to Your DNS

Log in to your DNS provider and add the TXT record exactly as shown.

Standard Setup:

  • Host/Name: Leave blank or use @ (to publish at the base domain, e.g., example.com)
  • Type: TXT
  • Value: Paste the token you copied from Step 1
Name: @  
Type: TXT  
Value: 7f4bde34a21a45b9b6c3c8b8fbd02156

Note: If your certificate is for a subdomain (like mail.example.com), you should still publish the TXT record at the base domain: example.com.

This is an example of a TXT record using AWS Route 53.

DCV Step 3

Alternate Setup (if there’s a conflict):

If your base domain already has a TXT record and you can’t add a new one:

  • Use _dnsauth (include the underscore) as the Host/Name
  • The CA will also check _dnsauth.example.com for the token
Name: _dnsauth  
Type: TXT  
Value: 7f4bde34a21a45b9b6c3c8b8fbd02156

Step 3: Verify DNS Propagation

It may take time for your new TXT record to propagate, depending on your DNS host’s TTL settings.

Step 4: Complete the DCV Check

Once your DNS TXT record has been published and propagated, the Certificate Authority will automatically check for it on a regular schedule. As soon as the correct TXT record is detected, the domain will be marked as approved.

If all other validation requirements have been met (such as organization validation for OV/EV certificates), the certificate will be automatically issued without any additional action required.

You can also manually trigger a DCV check at any time by clicking the CHECK button next to the domain in your pending order.

Repeat this process for each domain on the certificate order as needed.

If you don’t see the token, either:

  • You're setting the DNS record for something other than the base domain (e.g, www.example.com instead of just example.com)
  • The record hasn't propagated yet, or
  • There is a typo or misconfiguration in your record

Changing the DCV Method

You can change the DCV method at any time before validation is complete. For example, switch from Email to DNS TXT by clicking the domain name and selecting a different method.

Need Help?

If you have trouble publishing the DNS TXT record or verifying your domain, contact GeoCerts Support. We’re here to help.