Blog Tag not found

Domain Control Validation by DNS TXT Method

With this DCV method, you prove domain control by adding a hash string token as a TXT record to the domain's DNS namespace. The CA periodically checks your domain's DNS for the correct token.

The DNS TXT Token DCV method is not supported for Sectigo and PositiveSSL SSL/TLS products (DNS CNAME is supported).

How to set up DCV to DNS TXT Token method

Locate the pending order in your account. Click on a domain in the 'You Need To... > Prove Control Over Domains" section.

DCV click domain buttons to manage DCV options.

In the DCV Method dropdown, choose DNS TXT Token. Copy the Token string. Note: The unique token expires after thirty days. 

Copy TXT token.

Add a DNS TXT record to your domain. 

Below is an example of AWS Route 53 DNS.

TXT records should be added to the base domain. For instance, if your domain is mail.example.com, add the TXT record to example.com, not mail.example.com.

  • In the Host field, leave the host field blank or use the @ symbol to indicate that you want to create a TXT record at the base domain level (e.g., example.com, not shop.example.com).
  • In the Value field, paste the TXT token string you copied from the previous step.
  • Save the TXT record.

AWS create DNS TXT record.

Tip: If you are not able to add the token value to your base domain's DNS record because it already has a TXT record you can create a new TXT record and enter _dnsauth (include the leading underscore) as the host value rather than leaving it blank. The CA will look for the token at example.com and _dnsauth.example.com.

Alternate hostname option.

Check your live DNS record for propagation.

Use Google Admin Toolbox Dig to test your new DNS TXT record. If you don't see the token value, the token is not set up correctly, or the record has not been propagated yet. Note the TTL and check again later. 

Google Dig

Tip: Use can also use What's My DNS to verify that your new TXT record has propagated globally. Depending on the TTL value it may take some time to show up.

Check DCV approval. 

Once you know your new DNS TXT record is set up correctly and has propagated globally, go back to step 2 above and click the CHECK button. 

Check for token.

When the correct DNS TXT record is located, that domain will be shown as checked off and approved. Repeat for all domains on the certificate order.

Domain approved.

Choosing and changing the DCV method

You choose the initial DCV method when placing an SSL/TLS order. You can change the current DCV method - for example, from Email Verification to DNS CNAME - by clicking the button for any domain on the order that is not approved.  

Additional Resources