Troubleshoot email validation problems
Consult the following guidance if you are having trouble validating a certificate domain with email.
Topics
Not receiving validation email
When you request a certificate from ACM and choose email validation, domain validation email is sent to the five common administrative addresses. For more information, see Amazon Certificate Manager email validation. If you are experiencing problems receiving validation email, review the suggestions that follow.
- Where to look for email
-
ACM sends validation email messages to your requested domain name. You can also specify a superdomain as a validation domain if you wish to receive these emails at that domain instead. Any subdomain up to the minimal website address is valid, and is used as the domain for the email address as the suffix after @. For example, you can receive an email to admin@example.com if you specify example.com as the validation domain for subdomain.example.com. Review the list of email addresses that are displayed in the ACM console (or returned from the CLI or API) to determine where you should be looking for validation email. To see the list, click the icon next to the domain name in the box labeled Validation not complete.
- The email is marked as spam
-
Check your spam folder for the validation email.
- GMail automatically sorts your email
-
If you are using GMail, the validation email may have been automatically sorted into the Updates or Promotions tabs.
- The domain registrar does not display contact information or privacy protection is enabled
-
For domains purchased from Route 53, privacy protection is enabled by default and your email address is mapped to a
whoisprivacyservice.org
,contact.gandi.net
, oridentity-protect.org
email address. Ensure that your registrant email address on file with your domain registrar is up to date so that the email sent to these obscured email addresses can be forwarded to an email address that you control.Note
Privacy protection for some domains that your purchase with Route 53 will be enabled even if you choose to make your contact information public. For example, privacy protection for the .ca top level domain cannot be programmatically disabled by Route 53. You must contact the Amazon Support Center
and request that privacy protection be disabled. After making available at least one of the eight email addresses to which Amazon sends validation email and confirming that you can receive email for that address, you are ready to request a certificate through ACM. After you make a certificate request, ensure the intended email address appears in the list of email addresses in the Amazon Web Services Management Console. While the certificate is in the Pending validation state, you can expand the list to view it by clicking the icon next to the domain name in the box labeled Validation not complete. You can also view the list in Step 3: Validate of the ACM Request a Certificate wizard. The listed email addresses are the ones to which email was sent.
- Contact the Support Center
-
If, after reviewing the preceding guidance, you still don't receive the domain validation email, please visit the Amazon Web Services Support Center
and create a case. If you don't have a support agreement, post a message to the ACM Discussion Forum .
Persistent initial timestamp for email validation
The timestamp of a certificate's first email-validation request persists through later requests for validation renewal. This is not evidence of an error in ACM operations.
I can't switch to DNS validation
After you create a certificate with email validation, you cannot switch to validating it with DNS. To use DNS validation, delete the certificate and then create a new one that uses DNS validation.