How can I receive the validation email to verify my domain for AWS Certificate Manager (ACM)?
Last updated: 2020-12-29
I requested a certificate from AWS Certificate Manager (ACM) to verify my domain using email validation, but I didn't receive the validation email.
When requesting a certificate for a domain, you might not receive the validation email if:
- You don't have DNS MX records configured for the domain.
- Your registrar doesn't support domain email forwarding.
If that doesn't work, you can configure your domain to receive validation email using Amazon WorkMail or Amazon Simple Email Service (Amazon SES) and Amazon Simple Notification Service (Amazon SNS).
Option 1: Resend the Validation Email Using WorkMail
Create a WorkMail user using one of the five common system administration addresses for your domain. For more information, see MX record.
- Open the WorkMail console, and then follow the instructions for Creating a new organization.
- Follow the instructions for Adding a domain.
- Choose the organization that you created in step 1, and then choose Create user.
- Enter the User name and Display name for "admin", and then choose Next Step.
Note: You can also use "hostmaster", "postmaster", and "webmaster" for the user name. You can't use "administrator", because this is the AWS Organizations default system user account.
- Enter your primary email address and password for the new user.
- In the dropdown list next to Email address, choose the domain that you created in step 2, and then choose Add user.
- Follow the instructions to resend the validation email.
- Follow the instructions for signing into the Amazon WorkMail web client for the user name created in step 4.
- You receive a validation email in your WorkMail web client inbox. Follow the instructions for Using email to validate domain ownership.
For more information, see How do I add and verify a domain to use with WorkMail?
Option 2: Resend the Validation Email Using Amazon SES and Amazon SNS
- Open the Amazon SNS console, expand the menu from the left navigation pane, choose Topics, and then choose Create Topic.
- Enter the Topic name and Display name. Here are some suggested names:
Topic name: Validation-Email
Display name: Validation
- Choose Create topic, and then choose Create subscription.
- Use the default Topic ARN, and for Protocol, choose Email.
- Enter your email address for the Endpoint, and then choose Create subscription.
Note: A confirmation email is sent to the subscribed endpoint.
- From the confirmation email, choose Confirm subscription. You receive the message "Subscription confirmed!".
Verify your domain.
- Open the Amazon SES console and choose Domains from the left navigation pane.
- Choose Verify a New Domain, enter your domain name, and then choose Verify This Domain.
- If your domain is hosted with Amazon Route 53, choose Use Route 53. Copy the Email Receiving Record MX Value, and then choose Close.
Note: If your domain isn't hosted by Amazon Route 53, enter the record set manually in your domain registrar's DNS settings.
- (Optional) If you choose Use Route 53, you can choose the records to import by selecting Domain Verification Record or Email Receiving Record. Select the hosted zones that you want to update, and then choose Create Record Sets.
Note: This option replaces all existing MX records for your domain. Don't use this option unless you are setting up your domain to receive email through Amazon SES. For more information, see Receiving email with Amazon SES.
- Open the Amazon Route 53 console, and then choose Hosted zones from the left navigation pane.
- Select your Domain Name from step 2, and then choose Create Record Set.
- Select your MX Record Set, enter your domain or subdomain name, and then choose the MX --Mail exchange record type.
- In Value: paste the Email Receiving Record MX Value from step 3, and then choose Create.
Create SES rules.
- Open the Amazon SES console, and then choose Rule Sets from the left navigation pane.
- If you don't have an existing rule, choose Create a Rule Set. In Rule set name, enter a name, and then choose Create a Rule Set.
- In Rule set name, choose your rule set, and then choose Create Rule.
- For Recipient, enter your recipient email address, Add Recipient, and then choose Next Step. You can select any of the following validation email addresses:
Note: Receipt rule sets have two states—active or disabled. Only one receipt rule set can be active at any time. For more information, see Activating and disabling a receipt rule set.
- Choose the Add action menu, and then select SNS.
- From the SNS topic menu, choose the SNS topic that you created earlier (for example, Validation-Email). For Encoding, choose UTF-8.
- Select the Add action menu, choose Stop Rule Set, and then choose Next Step.
- In Rule Details, for Rule name, enter "Validation-Rule-Set", choose Next Step, and then choose Create Rule.
- Choose Rule Sets from the left navigation pane, choose your rule set, choose Set as Active Rule Set, and then choose Set Active.
Resend the validation email and verify the domain.
- Open the AWS Certificate Manager console.
- Select the Domain name, choose the Actions menu, choose Resend validation email, and then choose Resend.
- You receive an email message for each domain listed with the subject "Amazon SES Email Receipt Notification".
Note: If the email isn't properly formatted, search the email for \r\nTo approve this request, go to Amazon Certificate Approvals at\r\n. This is the certificate validation link.
- Follow the instructions for Using email to validate domain ownership.
After validating your ACM certificate, you can use the certificate with supported AWS resources in the same Region as the certificate. If you have AWS resources in multiple Regions, request a certificate from each Region.
Note: If you intend to use an ACM certificate with Amazon CloudFront, you must request or import the certificate in the US East (N. Virginia) Region. For more information, see AWS Region that you request a certificate In (for AWS Certificate Manager).