What is Domain Control Validation (DCV)?

SSL/TLS certificates are issued for a specific domain name or names. To obtain a certificate you must prove that you "own" each domain name. Domain Control Validation, or DCV, is the set of approved methods Cert Authorities (CAs) make available to you to prove a domain is yours. DCV must be completed for every domain on a certificate order.

How is Domain Control Validation Proved?

There are currently 5 DCV methods supported.

  1. Email Verification 
  2. Email to DNS TXT Contact (Recommended)
  3. DNS TXT Token
  4. DNS CNAME Token 
  5. HTTP/S File-based Token

Note: HTTP/S File-based Token is the only approved DCV method for certificates with IP addresses.

DCV Method 1: Email Verification

With this DCV validation method, the CA sends emails associated with the domain to the public WHOIS contacts (nowadays most WHOIS contacts are not public), and a set of generic administrative email addresses (admin@, administrator@, hostmaster@, webmaster@, and postmaster@) with a link for you to verify and approve the pending certificate request. 

Learn more about the Email Verification DCV Method.

DCV Method 2: Email to DNS TXT Contact 

If you have access to a domain's DNS management, this is the easiest and preferred method of proving domain control. It also has the advantage of being reusable once it's set up on your end. With the Email to DNS TXT Contact method, an authorization email is sent to the email addresses found in the DNS TXT record on the _validation-contactemail subdomain of the domain in the certificate order request. 

Learn how to set up the Email to DNS TXT Contact DCV Method.

DCV Method 3: DNS TXT Token

With this DCV method, you add a hash token string as a TXT record to the domain's DNS namespace. The CA periodically pings your domain's DNS looking for the correct token.

Learn how to set up the DNS TXT Token DCV Method.

DCV Method 4: DNS CNAME Token

To prove domain control with this method, you create a temporary CNAME host record on the domain's DNS namespace with a target hash value pointing back to the CA. The domain will be approved when the CA locates the correct CNAME record for the domain. 

Below is an example CNAME DNS record:

  • CNAME Host: _8DA14D435F7042B71E212832EBFFD76B.www.example.net
  • Target Address: 825752855AAEE1C2D576C3E42746C31C.FEA7606054060C42EAC7F966BA72FFAD.cert-auth.com

Learn how to set up the DNS CNAME Token DCV Method.

DCV Method 5: HTTP/S File-based Token

With this DCV validation method, you host a file containing a random hash value at a specific location on your website: https://[example.com]/.well-known/pki-validation/fileauth.txt. Once the file is created and placed on your site, the issuing CA visits the specified URL to confirm the presence of the verification token.

Learn how to set up the HTTP/S File-based Token DCV Method.