Knowledge Base

DigiCert Using MPIC to Verify Domain Control and Perform CAA Checks

Solution ID : SO499

Last Modified : 08/19/2025

Beginning September 1, 2025, DigiCert will enhance its certificate validation process by implementing the next phase of Multi-Perspective Issuance Corroboration (MPIC) per CA/Browser Forum requirements. With the first phase of MPIC earlier this year, DigiCert started checking domain control and CAA record details from multiple network locations. With the next phase of MPIC, DigiCert will add additional network perspectives (up to six more) and will enforce “corroboration.”

Corroboration means that multiple network perspectives must return the same DNS record details or website file contents for a given domain before the domain can be considered validated and before the certificate can be issued. MPIC requirements apply to both Domain Control Validation (DCV) and Certificate Authority Authorization (CAA) checks.

This redundancy provides stronger protection against security threats, helping catch and block unauthorized attempts to intercept or alter data as it travels across networks. For you, this means enhanced security and increased confidence that only authorized parties obtain certificates for your domains.

Items covered in this article

How does the MPIC process work?
- Domain control validation (DCV)
- DNS Certification Authority Authorization (CAA)
What do I need to do?
- Add User Agent DigiCert DCV Bot/1.1 to your allowlist
- Verify DNS record access – troubleshooting

How does the MPIC process work?

To begin, DigiCert performs its standard validation check from our primary network. This check is then repeated six times from additional remote locations, each on different networks and in different geographical regions. Four of six remote network locations must corroborate the details obtained via the primary network for domain control to be verified, for CAA checks to pass, and for a certificate to be issued.

Domain control validation (DCV)

MPIC applies to all common domain control validation (DCV) methods, including:

DNS TXT record
DNS CNAME Record
Email to DNS TXT contact
Email to CAA contact
HTTP Practical Demonstration
- Domains and IP addresses
HTTP Practical Demonstration with a unique file name
ACME http-01
ACME dns-01

The corroboration requirements apply to each DCV method listed above. If an insufficient number of network locations corroborate the primary network’s details, the domain validation will fail, and the certificate cannot be issued. This redundancy ensures that only those with legitimate domain control can obtain certificates for said domains.

DNS Certificate Authority Authorization (CAA) check

MPIC also applies to the CAA record check DigiCert performs to make sure we have permission to issue the certificate for a domain. Remember, before DigiCert can issue a TLS/SSL certificate or a Secure Email (S/MIME) certificate, we must check, process, and abide by the domain or email domain’s DNS CAA resource records. Learn more about the DNS CAA resource record check.

What do I need to do?

To prepare for MPIC, you should have little to do before we implement this new process on September 1, 2025. However, depending on the DCV method you are using, there may be things you need to do while other things fall more in the troubleshooting category.

Start by auditing your current validation setup. Verify what DCV methods you are using. Are you using the HTTP Practical demonstration, DNS TXT record, or Email to CAA contact?

If using HTTP Practical Demonstration, check for anything that could block or delay validation requests from multiple locations, like strict network controls. See Add User Agent DigiCert DCV Bot/1.1 to your allowlist below.
If using DNS-based DCV methods, such as DNS TXT record or Email to DNS TXT contact, check for inconsistent DNS behavior. See Verify DNS record access below.

Add User Agent DigiCert DCV Bot/1.1 to your allowlist

If using the HTTP practical demonstration DCV methods and an allowlist to control inbound traffic, then action is required.

You need to add the User Agent DigiCert DCV Bot/1.1 to your allowlist before September 1, 2025. Adding the User Agent DigiCert DCV Bot/1.1 to your allowlist ensures DigiCert can access the .txt file containing the random value at a predetermined location on your website.

Verify DNS record access

Though domain validation and CAA record check issues are unlikely, starting September 1, 2025, there is a chance you could experience a disruption to your certificate issuance process if using:

DNS-based DCV methods: DNS TXT record, DNS CNAME record, Email to DNS TXT contact, and Email to CAA contact
CAA resource records: Used to control which CAs can issue certificates for your domains

You should check that changes propagate reliably across all authoritative nameservers and that your TTL settings allow for timely updates.

Conducting these checks can help ensure that DigiCert can locate the random value or email contact within your DNS record and confirm access to the CAA resource record, thereby authorizing us to issue TLS and S/MIME certificates for your domains.

Troubleshooting MPIC validation issues

If you do experience issues, DigiCert recommends checking your domain's DNS configuration to ensure it is accessible from multiple regions. To check the configuration, you may need to contact your DNS provider.

choose your language