Email domain validation change policy by CA/B Forum
Home / Media / News / Email domain validation change policy by CA/B Forum

Email domain validation change policy by CA/B Forum
03 Mar ‘25

CA/B Forum Announces Email Domain Validation Changes

The CA/B Forum has announced a major change to the annual validation of domain names via email, impacting organizations that purchase certificates from DigiCert and GlobalSign.

 

What is the CA/B forum?

The Certification Authority Browser Forum (CA/Browser Forum) is a gathering of certificate issuers and vendors of Internet browser software and other applications that use certificates (Certificate Consumers). Its purpose is to promote and improve industry best practices in the way digital certificates are used for the benefit of Internet users and the security of their communications.

  

Adjustment to the domain validation procedure 2025

WHOIS is a public database that allows you to look up information about domain names. It contains information such as who the owner is, the registration date of the domain name and when it expires. It also contains the email address of the owner of the domain name.

As of February 24, 2025, it will no longer be possible to use the owner’s email address listed in WHOIS for domain validation. Other standard email addresses such as hostmaster@ and info@ may also no longer be used for new validations from that date.

This change impacts organizations that purchase Domain Validated (DV), Organization Validated (OV), Extended Validation (EV), and S/MIME certificates from CAs such as DigiCert and GlobalSign.

On July 14, 2025, all domain names that have ever been validated using the old email address method will automatically expire. DV, OV, EV, and S/MIME certificates that still use incorrect email addresses will no longer be valid.

 

What is the new way of validation?

In order to continue supporting mail-based validation, each customer must include a TXT record in their DNS for the subdomain “_validation-contactemail” with a “value” pointing to the contact email address of the domain in question.

This DNS record would look like this as an example:

_validation-contactemail  defaultTTL  myprefferedvalidation@mydomain.com 

Regular DNS and HTTP TXT based validation will continue to exist. Domain names that have been validated using this method will not expire on July 14, 2025.

 

It is important for organizations that this new method is incorporated into the existing certificate management process so that it will continue to run correctly.

For more information, please contact KeyTalk and we will be happy to inform you how our platform can help you with this.

 

 

CAB Forum Logo

Contact us

if you are interested in what we can do for your organisation with PKI / CLM management after reading our blog, please fill in the contact form below and we will contact you right away.