How can I receive the validation email to verify my domain for AWS Certificate Manager (ACM)?

Last updated: 2019-04-24

I requested a certificate from AWS Certificate Manager (ACM) to verify my domain using email validation, but I didn't receive the validation email.

Short Description

When requesting a certificate for a domain, you might not receive the validation email if:

  • You don't have DNS MX records configured for the domain.
  • Your registrar doesn't support domain email forwarding.

First, try these troubleshooting steps to help you receive validation email.

If that doesn't work, you can configure your domain to receive validation email using Amazon SES and Amazon SNS. Do this in four main steps:

  1. Create an SNS topic.
  2. Verify your domain.
  3. Create SES rules.
  4. Resend the validation email and verify the domain.

Resolution

Create an SNS topic

  1. Open the Amazon SNS console, expand the menu from the left navigation pane, choose Topics, and then choose Create Topic.
  2. Enter the Topic name and Display name, choose Create topic, and then choose Create topic. Here are some suggested names:
    Topic name: Validation-Email
    Display name: Validation
  3. Choose Create topic, and then choose Create subscription.
  4. Use the default Topic ARN, and for Protocol, choose Email.
  5. Enter your email address for the Endpoint, and then choose Create subscription.
    Note: A confirmation email is sent to the subscribed endpoint.
  6. From the confirmation email, choose Confirm subscription. You receive the message "Subscription confirmed!".

Verify your domain

  1. Open the Amazon SES console and choose Domains from the left navigation pane.
  2. Choose Verify a New Domain, enter your domain name, and then choose Verify This Domain.
  3. If your domain is hosted with Amazon Route 53, choose Use Route 53. Copy the Email Receiving Record MX Value, and then choose Close.
    Note: If your domain isn't hosted by Amazon Route 53, enter the record set manually in your domain registrar's DNS settings.
  4. (Optional) If you choose Use Route 53, you can choose the records to import by selecting Domain Verification Record or Email Receiving Record. Select the hosted zones that you want to update, and then choose Create Record Sets.
    Note: This option replaces all existing MX records for your domain. Don't use this option unless you are setting up your domain to receive email through Amazon SES. For more information, see Receiving Email with Amazon SES.
  5. Open the Amazon Route 53 console, and then choose Hosted zones from the left navigation pane.
  6. Select your Domain Name from step 2, and then choose Create Record Set.
  7. Select your MX Record Set, enter your domain or subdomain name, and then choose the MX --Mail exchange record type.
  8. In Value: paste the Email Receiving Record MX Value from step 3, and then choose Create.

Create SES rules

  1. Open the Amazon SES console, and then choose Rule Sets from the left navigation pane.
  2. If you don't have an existing rule, choose Create a Receipt Rule. If you have an existing rule, choose Create a Rule Set.
    For Recipient, enter your recipient email address, Add Recipient, and then choose Next Step. You can select any of the following validation email addresses:
    administrator@your_domain
    hostmaster@your_domain
    postmaster@your_domain
    webmaster@your_domain
    admin@your_domain
    Note: Receipt rule sets have two states—active or disabled. Only one receipt rule set can be active at any time. For more information, see Activating and Disabling a Receipt Rule Set.
  3. Choose the Add action menu, and then select SNS.
  4. From the SNS topic menu, choose the SNS topic that you created earlier (for example, Validation-Email). For Encoding, choose UTF-8.
  5. Select the Add action menu, choose Stop Rule Set, and then choose Next Step.
  6. In Rule Details, for Rule name, enter Validation-Rule-Set, choose Next Step, and then choose Create Rule.

Resend the validation email and verify the domain

  1. Open the AWS Certificate Manager console.
  2. Select the Domain name, choose the Actions menu, choose Resend validation email, and then choose Resend.
  3. You receive an email message for each domain listed with the subject "Amazon SES Email Receipt Notification".
    Note: If the email isn't properly formatted, search the email for \r\nTo approve this request, go to Amazon Certificate Approvals at\r\n. This is the certificate validation link.
  4. Follow the instructions to Use Email to Validate Domain Ownership.

After validating your ACM certificate, you can use the certificate with supported AWS resources in the same Region as the certificate. If you have AWS resources in multiple Regions, request a certificate from each Region.

Note: If you intend to use an ACM certificate with Amazon CloudFront, you must request or import the certificate in the US East (N. Virginia) Region. For more information, see AWS Region that You Request a Certificate In (for AWS Certificate Manager).