AWS ACM email validation is not working? Our Support Team is here to help you out.

At Bobcares, we come up with solutions for every query as a part of our AWS Support Services.

Let’s take a look at how our talented Support Engineers resolved this specific issue.

What is AWS ACM email validation?

AWS Certificate Manager is responsible for sending validation emails to the 5 common system addresses provided that an MX record exists for the domain.

A domain validation email goes out to the email addresses are associated with the technical contact, domain registrant as well as administrative contact fields in the WHOIS listing.

Unfortunately, some domain registrars do not contain the contact information in WHOIS. The ACM certificate issue or renewal is affected if:

• The contact email address is not present in your domain registrar WHOIS data.
• Custom email addresses are used for certificate validation in WHOIS.

The WHOIS lookup searches for the email addresses in the technical contact, domain registrar, and administrative contact fields.

Our Support Engineers recommend verifying the listed email address with a WHOIS query. For instance, you will receive a similar reply of everything is in order:

Registrant Contact
Name: Data Protected Data Protected
Organization: Data Protected
Mailing Address: 124 Data Protected, Toronto ON M5K 3M1 CA
Phone: +1.0000000000
Ext:
Fax: +1.0000000000
Fax Ext:
Email:noreply@data-protected.net

How to resolve AWS ACM email validation error?

Our Support Team has come up with two ways to accomplish AWS ACM email validation. You can choose either one based on the effort required or preference.

AWS ACM email validation via email

It is always a good idea to verify at least one of the 5 default email addresses to ensure it is valid and monitored regularly. You can select the link in the validation email to proceed with the validation.

In case you have not received any email, you have to verify whether the domain has at least one existing MX record by running the following commands:

For Linux and macOS:

$dig mx example.com

For Windows:

$nslookup -q=mx example.com

The mail servers specified in the MX records will receive the validation emails as seen below:

;; ANSWER SECTION:
example.com.             599     IN      MX      10 mail1.example.com.
example.com.             599     IN      MX      20 mail2.example.com.

If you do not have an MX record or if your domain registrar does not support email forwarding, we have a solution for that as well. You can use Amazon Simple Email Service (Amazon SES) and Amazon Simple Notification Service (Amazon SNS) to get the job done.

AWS ACM email validation via DNS

In order to switch to DNS validation, our Support Techs recommend recreating the ACM certificate and selecting DNS for validation. Furthermore, DNS validation offers additional advantages over email validation.

• You have to create one CNAME record for each domain name for DNS validation. Moreover, email validation sends up to 8 emails messages for each domain name.
• ACM automatically renews validated certificates before they expire.
• You can request additional ACM certificates for the FQDN.
• Moreover, you can switch to DNS validation without any incurring additional costs.
• Automation via DNS validation is less complex.

Furthermore, ensure you update services integrated with AWS Certificate Manager so that they use the new certificate. The new ACM certificate generates an ARN. Furthermore, the previous ARN will not be retained with a new ACM certificate.

Our Support Engineers would like to point out that you can establish the Region for the ACM certificate with the following command:

$aws acm describe-certificate --certificate-arn arn:aws:acm:region:12345678911:certificate/123456-1234-1234-1234-123456789 --output text |grep INUSEBY

[Looking for further assistance? Give us a call today. ]

Conclusion

At the end of the day, the Support Team at Bobcares demonstrated how to carry out AWS ACM email validation via email as well as how to switch to DNS validation.