My registrar doesn't support forwarding email from my domain. I want to configure Amazon SES and Amazon SNS to receive domain validation email because WHOIS does not work for my domain. 

When requesting a certificate for a domain, you might not receive validation email for two reasons: you do not have DNS MX records configured for the domain, or your registrar doesn't support domain email forwarding. However, you can configure your domain to receive validation email by using Amazon SES and Amazon SNS. You can do this in four main steps:

  1. Create an SNS topic
  2. Verify your domain
  3. Create SES rules
  4. Create a certificate request

Before you begin, try these troubleshooting steps for not receiving validation email. Confirm that all endpoints are in the same region and that you have access to modify your domain's DNS settings.

Create an SNS topic

  1. Open the Amazon SNS console and choose Create Topic.
  2. Type the Topic name and Display name, and choose Create topic. Here are some suggested names:
    Topic name: Validation-Email
    Display name: Validation
  3. On the Topic details page, choose Create subscription.
  4. Use the default Topic ARN, and for Protocol, choose Email.
  5. Type your full email address for the Endpoint and choose Create subscription.

Note: A confirmation message is sent to the subscribed endpoint. After the subscription has been confirmed, the endpoint receives notifications from this topic.

Verify your domain

  1. Open the Amazon SES console and choose Domains from the left navigation pane.
  2. Choose Verify a New Domain and enter your domain name.
  3. Choose Verify This Domain.
  4. If your domain is hosted by Amazon Route 53, choose Use Route 53. If your domain is not hosted by Amazon Route 53, enter the record set manually in your domain registrar's DNS settings.
  5. Open the Amazon Route 53 console, and choose Hosted zones from the left navigation pane.
  6. Select your domain and choose Create Record Set.
  7. Type the name of your domain or subdomain, and choose MX - Mail exchange as the record type.
  8. Type the record value as 10 inbound-smtp.us-west-2.amazonaws.com and choose Create.
    Note: In the record value, replace us-west-2 with your region.

Create SES rules

  1. Open the Amazon SES console and choose Rule Sets from the left navigation pane.
  2. If you do not have an existing rule, choose Create a Receipt Rule, type Validation-Rule-Set for your rule set name, and choose Create a Rule Set. If you have an existing rule, choose Create Rule Set.
    Note: Receipt rule sets have two states—active or disabled—and only one receipt rule set can be active at any time. For more information, see Activating and Disabling a Receipt Rule Set.
  3. Select your new rule set and choose Create Rule.
  4. Add your email recipient and choose Next Step. You can select any of the 5 validation email addresses from the following list:
    administrator@your_domain
    hostmaster@your_domain
    postmaster@your_domain
    webmaster@your_domain
    admin@your_domain
  5. Choose Add action, and select SNS.
  6. Choose the SNS topic you created earlier from the SNS topic menu, and choose UTF-8 for encoding.
  7. Add a second rule action to the rule set, select Stop Rule Set, and choose Next Step.
    Note: Stop Rule Set terminates the evaluation of the receipt rule set and optionally notifies you from Amazon SNS. If you want to include additional rule actions to this rule set, be sure that Stop Rule Set is the last rule added.
  8. Type the name you chose earlier in the Rule name field.
  9. Choose the default Rule set, which is the name of the rule set you created.
  10. Leave the Rule position as and choose Next Step.

Create a certificate request

  1. Open the AWS Certificate Manager console.
  2. If you already have a pending certificate request, select it and choose Resend validation email from the Actions list. If you have not submitted a certificate request, create one by choosing Request a certificate, and then enter all the domain names you want to secure the certificate against.
    Note: To set up a wildcard, add two domains to the certificate, the apex domain, and the wildcard domain. For example, domain.net and *.domain.net.
  3. Choose Review and request, Confirm and request, and then Continue.
  4. After receiving an email message for each domain listed with the subject "Amazon SES Email Receipt Notification", validate each domain.
  5. Choose the certificate validation link and choose I approve on the Amazon Certificate Approvals page. Repeat this process for each domain listed on the certificate. Every domain listed on the certificate must be validated before the certificate is issued by AWS Certificate Manager (ACM).
    Note: If the email is not properly formatted, search the email for \r\nTo approve this request, go to Amazon Certificate Approvals at\r\n. This is the certificate validation link.
  6. Confirm that the certificate is issued by checking the status in the AWS Certificate Manager console.

After successfully validating your ACM certificate, you can use the certificate with supported AWS resources in the same region as the certificate. If you have AWS resources in multiple regions, request a certificate from each region.

Note: If you intend to use an ACM certificate with Amazon CloudFront, you must request or import the certificate in the US East (N. Virginia) Region. ACM certificates in that region that are associated with a CloudFront distribution are distributed to all configured geographic locations.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-06-30