Why am I not receiving validation emails when using ACM to issue or renew a certificate?

Last updated: 2019-08-22

Why is email validation not working for Amazon Certificate Manager (ACM) certificates?  

Short Description

ACM sends the validation emails to the five common system addresses as long as an MX record exists for the domain. For a list of the default email addresses, see MX Record.

ACM also sends a domain validation email to the email addresses associated with the domain registrant, technical contact, and the administrative contact fields in the WHOIS listing. For more information, see Use Email to Validate Domain Ownership.

Some domain registrars don't populate the contact information in WHOIS ("Who is") data. Your ACM certificate issue or renewal can be affected if:

  • Your domain registrar doesn't include contact email addresses in WHOIS data.
  • You use custom emails addresses in WHOIS for certificate validation.

The WHOIS lookup for email validation is performed on the apex domain and searches for email addresses in the domain registrant, technical contact, and administrative contact fields. Verify your listed email addresses using a WHOIS query. For additional information, see Enabling or Disabling Privacy Protection for Contact Information for a Domain.

You don't receive a reply or receive a response similar to the following:

Registrant Contact
Name: Data Protected Data Protected
Organization: Data Protected
Mailing Address: 123 Data Protected, Toronto ON M6K 3M1 CA
Phone: +1.0000000000
Ext:
Fax: +1.0000000000
Fax Ext:
Email:noreply@data-protected.net

Note: ACM isn't compatible with CAPTCHA. ACM might not locate WHOIS data configured with a CAPTCHA text.

Important: AWS doesn't control WHOIS data and can't prevent WHOIS server throttling. For more information, see WHOIS Throttling.

Resolution

Two options are available depending on your preference and the effort required for maintaining or switching.

Important: You can't convert an ACM certificate validation from email to DNS or from DNS to email. If you switch validation methods, issue a new ACM certificate to replace the old one.

Option 1 - use email

You can keep using email for validation. It's a best practice to verify that at least one of the five default email addresses are valid and monitored for your domain. Choose the link in the validation email to complete validation.

Emails are sent to the mail server as indicated in your domain MX records. If you aren't receiving emails for the domain, confirm that the domain has at least one valid MX record by using the following commands:

Linux and macOS

$dig mx example.com

Windows

$nslookup -q=mx example.com

The mail servers indicated in the MX record are sent the validation emails.

;; ANSWER SECTION:
example.com.             599     IN      MX      10 mail1.example.com.
example.com.             599     IN      MX      20 mail2.example.com.

You can use Amazon Simple Email Service (Amazon SES) and Amazon Simple Notification Service (Amazon SNS) to receive an ACM validation email if:

  • You don't have an MX record.
  • Your domain registrar doesn't support email forwarding.

Option 2 - use DNS

To switch to DNS validation, recreate the ACM certificate, and then select DNS for validation. DNS validation has several advantages over email validation, especially if Amazon Route 53 is the DNS provider for your domain.

  • DNS requires that you create one CNAME record per domain name used only for requesting an ACM certificate. Email validation sends up to eight email messages per domain name.
  • You can request additional ACM certificates for your fully qualified domain name (FQDN) if the DNS record is in use.
  • ACM automatically renews certificates that you validated using DNS. ACM renews each certificate before expiration if the certificate and DNS record are both in use.
  • ACM can add the CNAME record for you if you use Route 53 to manage your public DNS records.
  • Automation using the DNS validation process is less complex than using the email validation process.
  • You can switch to DNS validation at no additional cost.

Services Integrated with AWS Certificate Manager using the old ACM certificate must be updated to use the new certificate. This is because new ACM certificates generate an Amazon Resource Name (ARN). You can't retain the ARN with a new ACM certificate. Only renewed ACM certificates retain the same ARN.

You can establish the Region for an ACM certificate by running the following at the command line:

$aws acm describe-certificate --certificate-arn arn:aws:acm:region:12345678911:certificate/123456-1234-1234-1234-123456789 --output text |grep INUSEBY

For more information and guidance on how to use DNS validation, see Use DNS to Validate Domain Ownership.