# AWS Certificate Manager email validation
<a name="email-validation"></a>

Before the Amazon certificate authority (CA) can issue a certificate for your site, AWS Certificate Manager (ACM) must verify that you own or control all of the domains that you specified in your request. You can perform verification using either email or DNS. This topic discusses email validation.

If you encounter problems using email validation, see [Troubleshoot email validation problems](troubleshooting-email-validation.md).

## How email validation works
<a name="how-email-validation-works"></a>

ACM sends validation email messages to the following five common system emails for each domain. Alternatively, you can specify a superdomain as a validation domain if you wish to receive these emails at that domain instead. Any subdomain up to the minimal website address is valid, and is used as the domain for the email address as the suffix after `@`. For example, you can receive an email to admin@example.com if you specify example.com as the validation domain for subdomain.example.com.
+ administrator@your\$1domain\$1name
+ hostmaster@your\$1domain\$1name
+ postmaster@your\$1domain\$1name
+ webmaster@your\$1domain\$1name
+ admin@your\$1domain\$1name

To prove that you own the domain, you must select the validation link included in these emails. ACM also sends validation emails to these same addresses to renew the certificate when the certificate is 45 days from expiry.

Email validation for multi-domain certificate requests using the ACM API or CLI results in an email message being sent by each requested domain, even if the request includes subdomains of other domains in the request. The domain owner needs to validate an email message for each of these domains before ACM can issue the certificate.

**Exception to this process**  
If you request an ACM certificate for a domain name that begins with **www** or a wildcard asterisk (**\$1**), ACM removes the leading **www** or asterisk and sends email to the administrative addresses. These addresses are formed by pre-pending admin@, administrator@, hostmaster@, postmaster@, and webmaster@ to the remaining portion of the domain name. For example, if you request an ACM certificate for www.example.com, email is sent to admin@example.com rather than to admin@www.example.com. Likewise, if you request an ACM certificate for \$1.test.example.com, email is sent to admin@test.example.com. The remaining common administrative addresses are similarly formed.

**Important**  
ACM no longer supports WHOIS email validation for new certificates or renewals. Common system addresses remain supported. For details, see [blog post](https://aws.amazon.com/blogs/security/aws-certificate-manager-will-discontinue-whois-lookup-for-email-validated-certificates/).

## Considerations
<a name="certificate-considerations"></a>

Observe the following considerations about email validation.
+ You need a working email address registered in your domain in order to use email validation. Procedures for setting up an email address are outside the scope of this guide.
+ Validation applies only to publicly trusted certificates issued by ACM. ACM does not validate domain ownership for [imported certificates](import-certificate.md) or for certificates signed by a private CA. ACM cannot validate resources in an Amazon VPC [private hosted zone](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-private-hosted-zones) or any other private domain. For more information, see [Troubleshoot certificate validation](certificate-validation.md).
+ After you create a certificate with email validation, you cannot switch to validating it with DNS. To use DNS validation, delete the certificate and then create a new one that uses DNS validation.

## Certificate expiration and renewal
<a name="renewal"></a>

ACM certificates are valid for 198 days. Renewing a certificate requires action by the domain owner. ACM begins sending renewal notices to the email addresses associated with the domain 45 days before expiration. The notifications contain a link that the domain owner can click for renewal. Once all listed domains are validated, ACM issues a renewed certificate with the same ARN.

## (Optional) Resend validation email
<a name="gs-acm-resend"></a>

Each validation email contains a token that you can use to approve a certificate request. However, because the validation email required for the approval process can be blocked by spam filters or lost in transit, the token automatically expires after 72 hours. If you do not receive the original email or the token has expired, you can request that the email be resent. For information about how to resend a validation email, see [Resend validation email](email-renewal-validation.md#request-domain-validation-email-for-renewal) 

For persistent problems with email validation, see the [Troubleshoot email validation problems](troubleshooting-email-validation.md) section in [Troubleshoot issues with AWS Certificate Manager](troubleshooting.md).

# Automate AWS Certificate Manager email validation
<a name="email-automation"></a>

Email-validated ACM certificates normally require manual action by the domain owner. Organizations dealing with large numbers of email-validated certificates may prefer to create a parser that can automate the required responses. To assist customers using email validation, the information in this section describes the templates used for domain validation email messages and the workflow involved in completing the validation process. 

## Validation email templates
<a name="validation-email-template"></a>

Validation email messages have one of the two following formats, depending on whether a new certificate is being requested or an existing certificate is being renewed. The content of the highlighted strings should be replaced with values that are specific to the domain being validated.

### Validating a new certificate
<a name="new-template"></a>

Email template text:

```
Greetings from Amazon Web Services,

We received a request to issue an SSL/TLS certificate for requested_domain.

Verify that the following domain, AWS account ID, and certificate identifier correspond 
to a request from you or someone in your organization.

Domain: fqdn
AWS account ID: account_id
AWS Region name: region_name
Certificate Identifier: certificate_identifier

To approve this request, go to Amazon Certificate Approvals 
(https://region_name.acm-certificates.amazon.com/approvals?code=validation_code&context=validation_context) 
and follow the instructions on the page.

This email is intended solely for authorized individuals for fqdn. To express any concerns
about this email or if this email has reached you in error, forward it along with a brief 
explanation of your concern to validation-questions@amazon.com.

Sincerely,
Amazon Web Services
```

### Validating a certificate for renewal
<a name="renewal-template"></a>

Email template text:

```
Greetings from Amazon Web Services,

We received a request to issue an SSL/TLS certificate for requested_domain. 
This email is a request to validate ownership of the domain in order to renew
the existing, currently in use, certificate. Certificates have defined 
validity periods and email validated certificates, like this one, require you 
to re-validate for the certificate to renew.

Verify that the following domain, AWS account ID, and certificate identifier 
correspond to a request from you or someone in your organization.

Domain: fqdn
AWS account ID: account_id
AWS Region name: region_name
Certificate Identifier: certificate_identifier

To approve this request, go to Amazon Certificate Approvals at
https://region_name.acm-certificates.amazon.com/approvals?code=$validation_code&context=$validation_context
and follow the instructions on the page.

This email is intended solely for authorized individuals for fqdn. You can see
more about how AWS Certificate Manager validation works here - 
https://docs.aws.amazon.com/acm/latest/userguide/email-validation.html.
To express any concerns about this email or if this email has reached you in 
error, forward it along with a brief explanation of your concern to 
validation-questions@amazon.com.

Sincerely,
Amazon Web Services

--
Amazon Web Services, Inc. is a subsidiary of Amazon.com, Inc. Amazon.com is a
registered trademark of Amazon.com, Inc.

This message produced and distributed by Amazon Web Services, Inc.,
410 Terry Ave. North, Seattle, WA 98109-5210.

(c)2015-2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Our privacy policy is posted at https://aws.amazon.com/privacy
```

Once you receive a new validation message from AWS, we recommend that you use it as the most up-to-date and authoritative template for your parser. Customers with message parsers designed before November, 2020, should note the following changes that may have been made to the template:
+ The email subject line now reads "`Certificate request for domain name`" instead of `"Certificate approval for domain name`".
+ The `AWS account ID` is now presented without dashes or hyphens. 
+ The `Certificate Identifier` now presents the entire certificate ARN instead of a shortened form, for example, `arn:aws:acm:us-east-1:000000000000:certificate/3b4d78e1-0882-4f51-954a-298ee44ff369` rather than `3b4d78e1-0882-4f51-954a-298ee44ff369`.
+ The certificate approval URL now contains `acm-certificates.amazon.com` instead of `certificates.amazon.com`.
+ The approval form opened by clicking the certificate approval URL now contains the approval button. The name of the approval button div is now `approve-button` instead of `approval_button`.
+ Validation messages for both newly requested certificates and renewing certificates have the same email format.

## Validation workflow
<a name="validation-workflow"></a>

This section provides information about the renewal workflow for email-validated certificates. 
+ When the ACM console processes a multi-domain certificate request, it sends validation email messages to the domain name or the validation domain that you specify when you request a public certificate. The domain owner needs to validate an email message for each domain before ACM can issue the certificate. For more information, see [Using Email to Validate Domain Ownership](https://docs.aws.amazon.com/acm/latest/userguide/email-validation.html). 
+ Email validation for multi-domain certificate requests using the ACM API or CLI results in an email message being sent by each requested domain, even if the request includes subdomains of other domains in the request. The domain owner needs to validate an email message for each of these domains before ACM can issue the certificate.

  If you resend emails for an existing certificate through the ACM console, emails will be sent to the validation domain specified in the original certificate request, or the exact domain if no validation domain was specified. To receive validation emails at a different domain, you can request a new certificate, specifying the validation domain that you want to use for validation. Alternatively, you can call [ResendValidationEmail](https://docs.aws.amazon.com/acm/latest/APIReference/API_ResendValidationEmail.html) with the `ValidationDomain` parameter using the API, SDK, or CLI. However, the validation domain specified in the `ResendValidationEmail` request is only used for that call and is not saved to the certificate Amazon Resource Name (ARN) for future validation emails. You must call `ResendValidationEmail` each time you wish to receive a validation email at a domain name that was not specified in the original certificate request.
**Note**  
Prior to November, 2020, customers needed to validate only the apex domain and ACM would issue a certificate that also covered any subdomains. Customers with message parsers designed before that time should note the change to the email validation workflow.
+ With the ACM API or CLI, you can force all validation email messages for a multi-domain certificate request to be sent to the apex domain. In the API, use the `DomainValidationOptions` parameter of the [RequestCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_RequestCertificate.html) action to specify a value for `ValidationDomain`, which is a member of the [DomainValidationOption](https://docs.aws.amazon.com/acm/latest/APIReference/API_DomainValidationOption.html) type. In the CLI, use the **--domain-validation-options** parameter of the [request-certificate](https://docs.aws.amazon.com/cli/latest/reference/acm/request-certificate.html) command to specify a value for `ValidationDomain`.