WHOIS Email DCV Deprecation

Upcoming changes impacting WHOIS-based domain-validation

Recent vulnerabilities in the domain name WHOIS system have highlighted the WHOIS-based domain-validation method as a weakness in the process of validating publicly-trusted digital certificates.

A ballot is expected to pass in the CA/Browser Forum (CABF) requiring that WHOIS-listed email addresses are no longer acceptable for domain validation, nor can historic domain validations based on WHOIS email addresses be reused.

As a result, Sectigo and all other public Certificate Authorities will be required to:

No longer allow WHOIS-based email addresses for domain validation.
No longer allow certificates to be issued based on a WHOIS email address validation. Domains must be re-validated using an accepted, non-WHOIS method.

We will continue to update this page whenever new developments occur.

FAQs

What should I do now?

If you have any existing domain validations affected, you will need to re-verify them using alternative DCV methods.

If you do not do so, no certificates will be issued for those name(s) until a new domain validations is completed using an accepted method, after the affective date.

Which domain validation/DCV methods are still available?

Email, DNS and HTTP methods are still available.

Email validation is still accepted using 'constructed' email addresses - admin@, administrator@, hostmaster@, postmaster@ and webmaster@ yourdomain.com.

However, we strongly recommend that you look to use DNS-based domain validation as this can be more easily automated in preparation for shorter-lifetime certificates.

Are my certificates being revoked?

No. No certificates that were validated based on WHOIS emails will be revoked. However, after a date yet to confirmed, no more certificates can be issued based on WHOIS email validation, so you will need to re-validate your domain(s) using accepted methods.

Please contact Sectigo Support or your Account Manager if you have any further questions.