Why am I not receiving validation emails when using ACM to issue or renew a certificate?

Last updated: 2022-06-24

Why didn't I receive the validation email to issue or renew AWS Certificate Manager (ACM) certificates?

Short description

ACM sends the validation emails to the five common system addresses as long as an MX record exists for the domain. For a list of the default email addresses, see MX record.

ACM also sends a domain validation email to the email addresses associated with the domain registrant, technical contact, and administrative contact fields in the WHOIS listing. For more information, see validate domain ownership with email.

Some domain registrars don't populate the contact information in WHOIS ("Who is") data. Your ACM certificate issue or renewal can be affected if:

  • Your domain registrar doesn't include contact email addresses in WHOIS data.
  • You use custom emails addresses in WHOIS for certificate validation.

The WHOIS lookup for email validation is performed on the apex domain and searches for email addresses in the domain registrant, technical contact, and administrative contact fields. Verify your listed email addresses using a WHOIS query. For additional information, see Enabling or disabling privacy protection for contact information for a domain. If your domain has privacy protection enabled, you might not receive a reply or received a response similar to the following:

Registrant Contact
Name: Data Protected Data Protected
Organization: Data Protected
Mailing Address: 123 Data Protected, Toronto ON M6K 3M1 CA
Phone: +1.0000000000
Ext:
Fax: +1.0000000000
Fax Ext:
Email:noreply@data-protected.net

Note:

  • ACM isn't compatible with CAPTCHA. ACM might not locate WHOIS data configured with a CAPTCHA text.
  • AWS doesn't control WHOIS data and can't prevent WHOIS server throttling. For more information, see WHOIS throttling.

Resolution

Two options are available depending on your preference and the effort required for maintaining or switching.

  • You can't convert an ACM certificate's validation method from email to DNS or from DNS to email. To switch validation methods, request a new ACM certificate to replace the previous one.
  • If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Option 1 - use email

Check your certificate for your domain to verify the email addresses.

  1. Open the ACM console, and then choose List certificates.
  2. Choose the certificate that you want to renew.
  3. In Domains, note the Registered owners field. Usually the registered owners include admin@, administrator@, hostmaster@, postmaster@, webmaster@.

If the five system email addresses aren't listed, confirm that the domain has at least one valid MX record using the following commands:

Linux and macOS

$dig mx example.com

Windows

$nslookup -q=mx example.com

The mail servers indicated in the MX record are sent the validation emails similar to the following:

;; ANSWER SECTION:
example.com.             599     IN      MX      10 mail1.example.com.
example.com.             599     IN      MX      20 mail2.example.com.

You can also use Amazon Simple Email Service (Amazon SES) and Amazon Simple Notification Service (Amazon SNS) to receive an ACM validation email if:

  • You don't have an MX record
  • Your domain registrar doesn't support email forwarding.

Follow the instructions for resending the validation email using the AWS Management Console or the AWS CLI.

For more information, see Troubleshoot email validation problems.

Option 2 - use DNS

To switch to DNS validation, recreate the ACM certificate, and then select DNS for validation. DNS validation has several advantages over email validation, especially if Amazon Route 53 is the DNS provider for your domain.

  • DNS requires that you create one CNAME record per domain name used only for requesting an ACM certificate. Email validation sends up to eight email messages per domain name.
  • You can request additional ACM certificates for your fully qualified domain name (FQDN) if the DNS record is in use.
  • ACM automatically renews certificates that you validated using DNS. ACM renews each certificate before expiration if the certificate and DNS record are both in use.
  • ACM can add the CNAME record for you if you use Route 53 to manage your public DNS records.
  • Automation using the DNS validation process is less complex than using the email validation process.
  • You can switch to DNS validation at no additional cost.

Services integrated with AWS Certificate Manager using the previous ACM certificate must be updated to use the new certificate. This is because new ACM certificates generate an Amazon Resource Name (ARN). You can't retain the ARN with a new ACM certificate. Only renewed ACM certificates retain the same ARN.

You can establish the Region for an ACM certificate by running the AWS CLI command describe-certificate similar to the following:

$aws acm describe-certificate --certificate-arn arn:aws:acm:region:12345678911:certificate/123456-1234-1234-1234-123456789 --output text |grep INUSEBY

For more information, see DNS validation.