Validation Contact E-Mail Domain Name System (DNS) Records

When you order an SSL Certificate, the Certificate Authority (CA) must confirm that you control the domain before the SSL Certificate can be issued. One common way to prove that control is to receive an approval e-mail at an address on the domain. A _validation-contactemail record lets you choose which address that is.

This record helps when none of the standard approver e-mail addresses work for your domain. It is a Domain Name System (DNS) TXT record that publishes an alternative contact address, which the Certificate Authority (CA) can then use to send the validation e-mail. Learn About Domain Validation 🔗

The Five Standard Approver E-Mail Addresses

Before looking at the record itself, it helps to know the default addresses. The Certificate Authority (CA) will only send a validation e-mail to a small, fixed set of addresses at the domain being validated.

Those addresses are admin, administrator, hostmaster, postmaster, and webmaster, each at your own domain. For a domain of example.com, that means admin@example.com through to webmaster@example.com. If you can receive e-mail at one of these, you do not need a _validation-contactemail record at all.

Historically, some approvals used a contact address found through WHOIS. That option has been removed. Since July 15, 2025, the Certificate Authority (CA) no longer accepts WHOIS based domain validation, in line with Ballot SC-80v3.

With WHOIS retired, two e-mail routes remain : one of the five standard addresses above, or an address you publish yourself using a _validation-contactemail record.

Publishing a Validation Contact E-Mail Record

You create a single Domain Name System (DNS) TXT record where your domain's records are managed. The Certificate Authority (CA) reads that record and treats the address inside it as a valid destination for the approval e-mail.

The host portion is _validation-contactemail at your domain and the record type is TXT. Its value is the e-mail address that should receive the approval message.

Host  : _validation-contactemail
Type  : TXT
Value : ssl@example.com

For a domain of example.com, that record resolves to the full name _validation-contactemail.example.com. The value can be any working address you control, and it does not have to be an address at the same domain.

After the record is published and visible, the Certificate Authority (CA) can offer that address as an approver. You still complete validation the same way : you receive the e-mail, open it, and follow the confirmation link inside.

Note : A _validation-contactemail record only changes where the approval e-mail is sent. It does not skip the approval step. Someone must still receive that e-mail and follow the confirmation link for validation to complete.

Because the method still relies on an e-mail being received and actioned, publish an address that is actively monitored and can accept mail from the Certificate Authority (CA).

If the approval e-mail does not arrive, the usual cause is a mail filter or an unchecked address rather than the record itself. Find Out More About E-Mails Not Arriving 🔗

Selecting the Method During Ordering and in Tracking

Trustico® may present additional validation options during the order process, and the approver e-mail can also be set within the order tracking system afterward. Where a _validation-contactemail record is found for your domain, the address it holds can be offered as one of those options.

This means you can set your preferred approver e-mail when you place the order, or change it later in tracking without starting a new order. The exact options shown depend on what the Certificate Authority (CA) can confirm for your domain at that moment.

The Best Effort Nature of This Method

Publishing the record does not make the address usable the instant you order. Several conditions have to line up first, and some of them sit outside what Trustico® is able to control.

First, the record has to exist and propagate. New or changed Domain Name System (DNS) records are not visible everywhere immediately, and the Certificate Authority (CA) can only use a record once it can actually see it.

Second, Trustico® operates its own cache with a lifetime of around 15 minutes. Separately, the Certificate Authority (CA) does not always return the TXT value on the first attempt. Together these can create a window of roughly 15 minutes before a newly published address is usable.

If the address is not offered yet, the usual reason is that the record has not propagated or has not cleared these caches. Waiting a short time and trying again is normally all that is needed.

Important : After you publish or change a _validation-contactemail record, allow at least 15 minutes before expecting it to appear as an option. If it is not shown straight away, wait and try again rather than assuming it has failed.

This short wait applies whenever the record changes, not only the first time it is created. The same delay can apply if you correct a mistake in the address or point it to a new mailbox.

Other Records and Validation Methods

The _validation-contactemail record covers one specific need : nominating an approver e-mail. It helps to know what sits alongside it, so you can pick the right approach for your domain.

At the Domain Name System (DNS) level, a Certification Authority Authorization (CAA) record can also hold a contact property. That is a separate mechanism, used mainly to state which Certificate Authorities (CAs) may issue SSL Certificates for your domain. Learn About Certification Authority Authorization Records 🔗

If you would rather not use e-mail approval at all, file based validation lets you prove control by placing a file on your web server instead. Other Domain Name System (DNS) based methods work in a similar way, without an approval e-mail. Explore File Based Authentication 🔗

Completing Your Validation

Once the record is published and the address appears as an option, the rest of the process does not change. You receive the approval e-mail, open it, and follow the confirmation link to prove control of the domain.

After control is confirmed, the Certificate Authority (CA) can issue the SSL Certificate. The same record can be used again if you later reissue the SSL Certificate and validation is required a second time.

For the full picture of how domain control is confirmed, and the other methods that can be used, the main validation guidance walks through each option in detail. Explore Our Complete Validation Guide 🔗

Most Popular Questions

Frequently asked questions covering the _validation-contactemail Domain Name System (DNS) record, how it nominates an approver e-mail for SSL Certificate validation, and the timing to expect when publishing or changing it.

Purpose of a Validation Contact E-Mail Record

A _validation-contactemail record is a Domain Name System (DNS) TXT record that publishes an e-mail address for SSL Certificate approval. The Certificate Authority (CA) can send the validation e-mail to that address when none of the standard approver addresses suit your domain.

Placing a Validation Contact E-Mail Record

Create a Domain Name System (DNS) TXT record with the host _validation-contactemail at your domain, so the full name reads _validation-contactemail.example.com. Set the value to the e-mail address that should receive the approval message.

Standard Approver E-Mail Addresses

The Certificate Authority (CA) accepts approval e-mail at admin, administrator, hostmaster, postmaster, and webmaster on the domain being validated. If you can receive mail at one of these, a _validation-contactemail record is not needed. WHOIS based validation is no longer available.

Best Effort Nature of Additional Validation Methods

The record has to be published and fully propagated before the Certificate Authority (CA) can see it, so the address may not be available the instant you order. Because several systems are involved, the method works on a best effort basis rather than being guaranteed at once.

Caching Delays and Retrying Validation

Trustico® holds its own cache of around 15 minutes, and the Certificate Authority (CA) does not always return the TXT value on the first attempt. Allow at least 15 minutes after publishing or changing the record, then try again if the address is not offered yet.

Ask Trustico® Assistant

For Instant Answers - Start Here When You Have a Question or Need Help

SSL Certificates and Front-of-Site Services Like Cloudflare

SSL Certificates and Front-of-Site Services Lik...

Learn how front-of-site services like Cloudflare affect which SSL Certificate visitors see and how to apply your purchased SSL Certificate to them.

SSL Certificates and Front-of-Site Services Lik...

Learn how front-of-site services like Cloudflare affect which SSL Certificate visitors see and how to apply your purchased SSL Certificate to them.

Understanding X9 Certificates and the Public Trust Model

Understanding X9 Certificates and the Public Tr...

Learn what X9 Certificates are, how X9 PKI differs from public browser trust, and why they are not a substitute for a publicly trusted SSL Certificate.

Understanding X9 Certificates and the Public Tr...

Learn what X9 Certificates are, how X9 PKI differs from public browser trust, and why they are not a substitute for a publicly trusted SSL Certificate.

Why Your SSL Certificate Type and Brand Matter by Industry

Why Your SSL Certificate Type and Brand Matter ...

Why the type and brand of SSL Certificate matter across regulated industries, who examines your validation standing, and what is at stake when they do.

Why Your SSL Certificate Type and Brand Matter ...

Why the type and brand of SSL Certificate matter across regulated industries, who examines your validation standing, and what is at stake when they do.

Revocation Status Errors on a Valid SSL Certificate

Revocation Status Errors on a Valid SSL Certifi...

A revocation status error such as RevocationStatusUnknown can appear on a valid SSL Certificate. Learn how to confirm it is not revoked and what to do next.

Revocation Status Errors on a Valid SSL Certifi...

A revocation status error such as RevocationStatusUnknown can appear on a valid SSL Certificate. Learn how to confirm it is not revoked and what to do next.

Website Security Checks : Essential Steps to Protect Your Business Online

Website Security Checks : Essential Steps to Pr...

Keep your website secure with the SSL Certificate checks that matter most, from expiry and chain coverage to validation levels, issuance controls, and automation.

Website Security Checks : Essential Steps to Pr...

Keep your website secure with the SSL Certificate checks that matter most, from expiry and chain coverage to validation levels, issuance controls, and automation.

Installing an S/MIME E-Mail Certificate in Mozilla Thunderbird

Installing an S/MIME E-Mail Certificate in Mozi...

Import a PKCS12 E-Mail Certificate into Mozilla Thunderbird, assign it for signing and encryption, and exchange secured messages with any recipient.

Installing an S/MIME E-Mail Certificate in Mozi...

Import a PKCS12 E-Mail Certificate into Mozilla Thunderbird, assign it for signing and encryption, and exchange secured messages with any recipient.

1 / 6