Cloudflare Docs
SSL/TLS
SSL/TLS
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)

Email DCV method

Email based validation will send an approval email to the contacts listed for a given domain in WHOIS, along with the following addresses: admin@, administrator@, hostmaster@, postmaster@, and webmaster@.

​​ Limitations

Based on your chosen Certificate Authority, you may not be able to use email verification with advanced certificates.

​​ Setup

​​ Specify DCV method

If you want to use a Universal SSL certificate, you will need to edit the validation_method via the API and specify your chosen validation method.

Alternatively, you could order an advanced certificate via the dashboard or the API.

​​ View DCV values

Once you specify your chosen validation method, you can access the validation values by:

  • Going to SSL/TLS > Edge Certificates in the dashboard and selecting a certificate.
  • Getting certificate details by making a GET request with status=pending_validation in the request parameter and finding the validation_method and validation_records.

Once you locate your certificate, find the following values:

  • API: emails
  • Dashboard: Certificate validation email recipients.

​​ Complete DCV

The addresses listed in this field will receive an email from support@certvalidate.cloudflare.com. They should either select Review Certificate Request or the https://certvalidate.cloudflare.com hyperlink.

Example of the Certificate Validation Email

As soon as the domain owner has followed the link in this email and selected Approve on the validation page, the certificate will move through the various statuses until it becomes Active.

​​ Renewal

Even if you manually handle DCV when issuing certificates in a partial DNS setup, at certificate renewal, Cloudflare will attempt to automatically perform DCV via HTTP.

If all of the following conditions are confirmed at the first attempt, the renewal happens automatically via HTTP.

  • Hostnames are proxied.
  • Hostnames on the certificate resolve to the IPs assigned to the zone.
  • The certificate does not contain wildcards.

If any one of the conditions is not met, the certificate renewal falls back to your chosen method and you will need to repeat the DCV process manually.