Knowledge Base
How to create DNS TXT Record for Domain Control Validation (DCV)?
Overview
This article shows how to complete DCV by publishing a single DNS TXT record. You first copy the random value from the Sectigo portal, then work through the numbered Steps to fill in the record details, publish the record in the correct DNS zone, and verify propagation. The Certificate Authority (CA) reads the record from your authoritative DNS and marks the domain validated.
Random value
The random value is shown when you choose the DNS TXT method during DCV setup in your certificate management portal. Copy it exactly as displayed, including any '+' or '=' characters, and do not wrap it in quotes.
Pre-requisites
-
If you have ordered your certificate from sectigo.com, The hash values are calculated and displayed through the Sectigo web interface after completing Setup.
If you have ordered your certificate through different channel, Find the Validation Manager link in your order confirmation email.
Figure 1: Check status in Sectigo web interface
Steps
Step 1 — Record details
Create a TXT record in the following format:
-
Name: _pki-validation.subdomain.example.com.
-
Type: TXT
-
Value: QCw6C+nYGM6BSxgW0gd3Ig==
Note: The value above is illustrative. Sectigo generates the actual random value when you start DCV for your order.
Step 2 — Publish in the correct DNS zone
Publish the TXT record in the public, authoritative DNS for the domain or subdomain shown in the record name. The CA must be able to resolve the record from the open internet — internal or split-horizon DNS will not work. If the record name uses a subdomain (for example, _pki-validation.www), add the record in the zone that is authoritative for that label.
Step 3 — Verify propagation
After the record is published, allow time for DNS propagation — usually a few minutes, sometimes a few hours. Then confirm the record is reachable from a public resolver:
-
Google Dig Tool (toolbox.googleapps.com/apps/dig/)
-
WhatsMyDNS.net (global TXT lookup)
Troubleshooting
|
Symptom |
Likely cause |
Fix |
|
Lookup returns no record |
Record published in the wrong zone, or DNS has not propagated yet |
Confirm the zone is authoritative for the record name; wait for Time To Live (TTL) to expire, then retry |
|
Lookup returns the value with quotes |
DNS UI added quotes around the value |
Re-enter the value as the raw string with no surrounding quotes |
|
Sectigo still reports the record missing after propagation |
Typo or trailing whitespace in name or value |
Compare both fields to the portal output character-for-character and re-save |
Tips
-
Lower the TTL on the zone before publishing if you expect to make corrections; long TTL values delay each retry.
-
Do not include extra spaces or quotes around the TXT value.
-
Propagation time varies by DNS provider — plan validation around your provider's typical refresh window.
Similar questions
-
What is the process for adding a DNS TXT record for SSL/TLS domain validation?
-
How do I verify domain ownership using a DNS TXT record?
-
What steps are involved in creating a DNS TXT record for certificate issuance?
Need assistance?
Contact our team for help with your purchase or issuing your certificate.
Live chat
Click the button below or click "Chat with an Expert" to start chatting with us now!
