Troubleshoot email validation problems - Amazon Certificate Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Troubleshoot email validation problems

Consult the following guidance if you are having trouble validating a certificate domain with email.

Not receiving validation email

When you request a certificate from ACM and choose email validation, domain validation email is sent to the five common administrative addresses. For more information, see Amazon Certificate Manager email validation. If you are experiencing problems receiving validation email, review the suggestions that follow.

Where to look for email

ACM sends validation email messages to your requested domain name. You can also specify a superdomain as a validation domain if you wish to receive these emails at that domain instead. Any subdomain up to the minimal website address is valid, and is used as the domain for the email address as the suffix after @. For example, you can receive an email to admin@example.com if you specify example.com as the validation domain for subdomain.example.com. Review the list of email addresses that are displayed in the ACM console (or returned from the CLI or API) to determine where you should be looking for validation email. To see the list, click the icon next to the domain name in the box labeled Validation not complete.

The email is marked as spam

Check your spam folder for the validation email.

GMail automatically sorts your email

If you are using GMail, the validation email may have been automatically sorted into the Updates or Promotions tabs.

The domain registrar does not display contact information or privacy protection is enabled

For domains purchased from Route 53, privacy protection is enabled by default and your email address is mapped to a whoisprivacyservice.org, contact.gandi.net, or identity-protect.org email address. Ensure that your registrant email address on file with your domain registrar is up to date so that the email sent to these obscured email addresses can be forwarded to an email address that you control.

Note

Privacy protection for some domains that your purchase with Route 53 will be enabled even if you choose to make your contact information public. For example, privacy protection for the .ca top level domain cannot be programmatically disabled by Route 53. You must contact the Amazon Support Center and request that privacy protection be disabled.

After making available at least one of the eight email addresses to which Amazon sends validation email and confirming that you can receive email for that address, you are ready to request a certificate through ACM. After you make a certificate request, ensure the intended email address appears in the list of email addresses in the Amazon Web Services Management Console. While the certificate is in the Pending validation state, you can expand the list to view it by clicking the icon next to the domain name in the box labeled Validation not complete. You can also view the list in Step 3: Validate of the ACM Request a Certificate wizard. The listed email addresses are the ones to which email was sent.

Contact the Support Center

If, after reviewing the preceding guidance, you still don't receive the domain validation email, please visit the Amazon Web Services Support Center and create a case. If you don't have a support agreement, post a message to the ACM Discussion Forum.

Persistent initial timestamp for email validation

The timestamp of a certificate's first email-validation request persists through later requests for validation renewal. This is not evidence of an error in ACM operations.

I can't switch to DNS validation

After you create a certificate with email validation, you cannot switch to validating it with DNS. To use DNS validation, delete the certificate and then create a new one that uses DNS validation.