Knowledge Base
How does the email challenge-response method work for Domain Control Validation (DCV)?
Overview
By the end of this article you will understand how Sectigo, acting as the Certificate Authority (CA), uses the email challenge-response flow to complete Domain Control Validation (DCV) for an SSL/TLS certificate. The article walks through the numbered Steps in the email challenge-response flow, lists the Acceptable email addresses Sectigo will use, and gives the numbered Steps to publish a Domain Name System (DNS) Text (TXT) contact email record so an address at your domain can receive the validation email. It closes with what happens when Ordering through Sectigo's web interface and a set of Troubleshooting tips for common issues.
Steps in the email challenge-response flow
The flow has three stages — the first two are driven by Sectigo as the CA, and the third is performed by you.
Step 1 — Place the certificate order
During the certificate request, Sectigo builds a list of acceptable email addresses based on the domain in the Certificate Signing Request (CSR).
Step 2 — Sectigo sends the validation email
Sectigo sends a validation email containing a unique code and a verification link to the address you select from that list.
Step 3 — Confirm control from the email
Open the email, click the verification link, and enter the code shown in the message to confirm control over the domain.
Acceptable email addresses
These constructed addresses at the domain are valid for DCV:
A contact email address published in the domain's DNS Text (TXT) record is also acceptable. See the next section for the required format.
Steps to publish a DNS TXT contact email record
If you cannot use one of the constructed addresses, publish a DNS TXT record that names a contact email. The record must follow strict formatting rules — no extra text or quotes around the value other than as shown in the example.
Step 1 — Add a new record
In your DNS provider's console, click Add new record.
Figure 1: Add new Record in DNS
Step 2 — Select TXT as the record type
Choose TXT Record from the record-type list.
Figure 2: Select TXT Record in DNS
Step 3 — Set the hostname and value
-
Hostname must be exactly _validation-contactemail.yourdomain.com.
-
Value must be a single valid email address — no additional text, formatting, or quotes.
Figure 3: add a valid email id in DNS
Step 4 — Set TTL to the minimum
Set the Time-To-Live (TTL) to the lowest value your provider allows so the record propagates quickly across DNS resolvers.
Note: Example DNS TXT record (use either form depending on whether your provider auto-appends the domain): "_validation-contactemail IN TXT \"[email protected]\"" or "_validation-contactemail.yourdomain.com IN TXT \"[email protected]\"".
Figure 4: set TTL to minimum in DNS
Troubleshooting tips
-
Make sure the selected email address is active and monitored.
-
Check spam and junk folders for the validation email.
-
If using a DNS TXT record, confirm the record is published correctly and has propagated using a public DNS lookup tool.
-
If you do not have access to any of the constructed email addresses or a contact TXT record, choose an alternative DCV method (DNS CNAME, HTTP, or HTTPS).
Similar questions
-
What is the process of email challenge-response for DCV?
-
How is domain ownership verified using the email challenge-response method?
-
Can you explain how email-based DCV works?
-
What steps are involved in validating a domain via email challenge-response?
-
How does the Certificate Authority use email to confirm domain control?
Related articles: https://www.sectigo.com/knowledge-base/detail/complete-domain-validation
Attachment
Need assistance?
Contact our team for help with your purchase or issuing your certificate.
Live chat
Click the button below or click "Chat with an Expert" to start chatting with us now!
