Knowledge Base

End of life for using WHOIS-based DCV methods

Important: This is a dynamic article. We will update as new information becomes available. Save this page and periodically check back for the latest information.

The CA/Browser Forum recently adopted Ballot SC-80v3: Sunset the Use of WHOIS to Identify Domain Contacts and Relying DCV Methods. To comply with the industry changes mandated by the ballot, certificate authorities (CAs), such as DigiCert, must stop using WHOIS to identify domain contacts for email, fax, SMS, postal mail, and phone domain control validation (DCV) methods. Note that DigiCert only supports the email and phone WHOIS-based DCV methods.

For more information about this industry change, see Ballot SC-80v3: Sunset the Use of WHOIS to Identify Domain Contacts and Relying DCV Methods below.

 

DigiCert’s timeline for sunsetting WHOIS to identify domain contacts and WHOIS-based DCV method

DigiCert's timeline ensures we update our domain control validation process to remove support for the WHOIS-based DCV method and stop reusing existing WHOIS-based domain validations before the timelines specified in Ballot SC-80v3.

• January 8, 2025
• May 8, 2025
• July 8, 2025

The changes below affect all DigiCert domain validations, including the following certificate types: TLS, Verified Mark and Common Mark, Secure Email (S/MIME), DirectAssured, and DirectTrust.
 

January 8, 2025: End of life for HTTPS web-based WHOIS lookups and reuse of web-based WHOIS domain validations

On January 8, 2025, DigiCert stopped:

• Using HTTPS web-based WHOIS lookups 
  Starting January 8, 2025, DigiCert can no longer use HTTPS web-based WHOIS lookups to obtain domain contact information for domain control validation
  
  Background
  For the WHOIS-based DCV methods, DigiCert uses the WHOIS protocol and queries IANA’s WHOIS server, following the referrals to the relevant WHOIS server to obtain domain contact information. Sometimes, the query fails to return any results, for example, due to WHOIS lookup rate limits. When this happens, a DigiCert agent may perform an HTTPS web-based WHOIS lookup to find domain contact information so that the domain validation can proceed.
  
  Starting January 8, 2025, DigiCert validation agents can no longer perform manual HTTPS web-based WHOIS lookups when the WHOIS protocol failed to retrieve a domain’s contact information, causing WHOIS-based DCV methods to become less reliable.
  
  
• Reusing existing domain validations where DigiCert used an HTTPS web-based lookup to obtain a domain’s contact information 
  On January 8, 2025, DigiCert can no longer reuse any existing domain validations where we used an HTTPS web-based lookup to collect domain contact information, regardless of whether the previously obtained information is within the allowed 397-day reuse period.
   

How does this affect me?

If you used the WHOIS-based DCV method to validate your domains, and DigiCert’s automated WHOIS lookup ever failed to retrieve your desired email address, you are probably impacted.

Use a different validation method or email address source, such as a DNS TXT record email address, during your next certificate request. If you rely on instant certificate issuance, revalidate your domains in advance.

DigiCert recommends moving to a different DCV method or email address source as soon as possible. See DigiCert-supported DCV methods and domain validation processes and References below.

 

May 8, 2025: End of life for new WHOIS-based domain validations, regardless of WHOIS lookup method

On May 8, 2025, DigiCert will no longer support the WHOIS-based DCV method. DigiCert systems will stop querying WHOIS entirely for domain validations.
 

How does this affect me?

If using the WHOIS-based Email DCV method, you must start using a different DCV method. Or, to continue using the DCV email method, set up a DNS TXT Email Contact or a Constructed Email address. See DigiCert-supported DCV methods and domain validation processes and References below.

 

July 8, 2025: End of life for reusing existing WHOIS-based domain validations

On July 8, 2025, DigiCert will stop reusing existing WHOIS-based domain validations, regardless of whether previously obtained information is within the allowed 397-day reuse period and regardless of the WHOIS method.

How does this affect me?

If you used the WHOIS-based Email DCV method to validate your domains, these domain validations will become invalid on July 8. The next time you request a certificate for one of these domains, you must revalidate the domain using a different DCV method. Or, to continue using the DCV email method, set up a DNS TXT Email Contact or a Constructed Email address.

See DigiCert-supported DCV methods and domain validation processes and References below.

Important: If you rely on instant issuance of your certificates, please revalidate your domains with a different DCV method or email address type before July 8.

 

DigiCert-supported DCV methods and domain validation processes

DigiCert-supported domain validation processes

• Demonstrate control over domains on certificate orders
  When ordering a certificate, you select a DCV method to demonstrate control over the domains on the order. On the certificate's Order details page, use the DCV method selected during the order process to complete the domain validation. You can always switch validation methods if needed.
• Complete domain validation before ordering a certificate
  DigiCert features a domain validation process that allows you to validate your domains before ordering certificates. Completing the domain validation ahead of time allows for quicker certificate issuance.

DigiCert-supported DCV Methods

• DNS TXT Record (DNS Change)
  Go to your DNS provider and create a TXT record. Add a DigiCert-generated random value to the domain's TXT record. 
  
  Note: DigiCert recommends using this DCV method as it is less vulnerable to future industry changes.
  
  
• Email
  • Email to DNS TXT contact
    DigiCert sends an authorization email to the email addresses found in the DNS TXT record on the _validation-contactemail subdomain of the domain you are demonstrating control over.
  • Constructed Email
    DigiCert sends the authorization email to five constructed email addresses for the domain: admin, administrator, webmaster, hostmaster, and postmaster @[domain_name].
     
• DNS CNAME Record
  Go to your DNS provider and create a CNAME record. In the hostname field, enter _dnsauth. Then, add [random_value].dcv.digicert.com in the target host field to point the CNAME record to dcv.digicert.com.
  
  
• HTTP Practical Demonstration
  Host a file containing a DigiCert-generated random value at a predetermined location on your website: http://{domain-name}/.well-known/pki-validation/fileauth.txt.

 

References

• Supported DCV methods for domain prevalidation
  • Domain prevalidation: Revalidate your domain before validation expires
  • Domain prevalidation: Bulk domain revalidation
• Supported DCV methods for validating the domains on certificate orders

 

Ballot SC-80v3: Sunset the Use of WHOIS to Identify Domain Contacts and Relying DCV Methods

Ballot SC-80v3 has two important dates:

• On January 15, 2025, CAs must stop relying on domain contact information obtained using HTTPS web-based WHOIS lookups. DigiCert refers to this type of lookup as a manual WHOIS lookup. This change affects new WHOIS-based domain validations and existing domain validations within their reuse period.
• On July 15, 2025, CAs must stop relying on WHOIS-based domain validations, including those obtained using the WHOIS protocol, querying IANA’s WHOIS server, and following referrals to the relevant WHOIS server. This change affects new WHOIS-based domain validations and existing domain validations within their reuse period.

This ballot does not affect all email DCV methods. You can still use the Email to DNS TXT contact and Constructed Email DCV methods if email is your preferred DCV method. However, DigiCert recommends using one of the non-email-based DCV methods as the CA/Browser Forum is likely to continue scrutinizing email DCV methods. See DigiCert-supported DCV methods and domain validation processes above.

 

Background WHOIS-based domain validation

Almost every domain has a public record that lists its owner's contact information. Certificate Authorities (CAs), such as DigiCert, use this information to contact the domain owner to obtain permission to issue certificates for said domain. WHOIS-based domain validation is the most common way to validate domains for public certificate issuance; however, it has become unreliable, and industry standards require CAs to use more stringent domain validation methods.

While other methods may require more work and knowledge, such as modifying a DNS record, setting up an admin email address, or placing an HTTP file on your server, these methods provide better security and trust for you and your customers.

 

Need help?

If you have questions or concerns about this ballot prohibiting the use of WHOIS for identifying domain contacts, please contact your account manager or DigiCert Support immediately - Contact DigiCert.