How to Validate that You Control a Domain for an SSL Certificate

For security reasons, it is necessary to verify that you have the full agreement of the domain’s owner to issue an SSL certificate for the domain. For domain names managed through Gandi, this can usually be done automatically.

If you have requested an SSL certificate for a domain that you don’t control you will not be able to validate the certificate automatically. During the creation of the certificate , you will be offered three validation methods you can use after you submit your CSR.

Validation by DNS Record

Validation by DNS record implies that you have access to the DNS record management of your domain (whether or not at Gandi), and can add a CNAME record to it.

If you opt for this method, you will need to add a special CNAME record to your domain’s DNS zone records. You will receive instructions on how to do this when you complete your order.


Validation by DNS record can take 30 minutes or more.

If you have created a previous certificate for this domain, you may end up with conflicting DNS zone records, which will prevent the validation of your domain. To avoid this, delete any previous records that were created for other certificate validations.

Validation by Email

To validate by email, an email is sent to the email address “” where is replaced with your domain name. This validation method is simple, though it requires that you have a specific email address available for each domain to be validated. Of all the validation methods, validation by email is the fastest.


Because the email is sent when you complete your order, it is best if you can create this email before you complete your order. If you do not create the email address in time, you can resend the email on the page for your new certificate in the “SSL Certificates” section of your account after you have setup the email address.

You can learn how to create an email address on your domain name on our documentation page for creating email addresses.

It is also possible to create an alias which will forward email sent to your admin email address to another existing account. However, be aware that forwarded email addresses are often marked as spam and so we recommend not using an alias to avoid the risk of your validation email being marked as spam.


This method can only use email addresses that start with “admin.” You cannot validate your domain by sending an email to any other address.


You have 30 days to confirm by email, after which the operation will time out.

Validation by File

This validation method requires that you have access to the web server that hosts the website that the domain will point to.

You are asked to copy a TXT file that contains a verification key, and to place it at the following location on your domain. You will replace with the domain you want to secure, and replace filename with the name of the file you are provided.


The file must be placed at every full domain you want covered by a certificate. This means if you want both and (the bare domain without www) you must place two files; one using and one using only

We recommend that you check that the file is available online, preferably outside your corporate network and only in HTTP.


Beware of CMS installations (such as Wordpress, for example) which can block access to any “off-site” file.

Sectigo will verify the file within 1 hour of the launch of the validation process.