Knowledge Base

DigiCert Using MPIC to Verify Domain Control and Perform CAA Checks

Solution ID : SO499

Last Modified : 04/28/2026

Important: This is a dynamic article. We will update it as more information becomes available. Save this page and check back periodically for the latest information.

Starting June 1, 2026, and finishing no later than June 14, 2026, DigiCert will update MPIC to require corroboration from at least four remote network locations across at least two different Regional Internet Registry regions to comply with the next phase of the CA/Browser Forum MPIC requirements.

Background

In March 2025, DigiCert started checking domain control and CAA record details from multiple network locations per CA Browser Forum requirements, in advance of future phases of Multi-Perspective Issuance Corroboration (MPIC).
In September 2025, DigiCert enhanced its certificate validation and issuance process by implementing the next phase of MPIC and enforcing corroboration using at least two remote network locations.
In February 2026, DigiCert updated MPIC to require corroboration across at least three remote network locations in at least two different Regional Internet Registry regions to comply with the next phase of CA/Browser Forum MPIC requirements.

What is corroboration?

Corroboration means that multiple network perspectives must return the same DNS record details or website file contents for a given domain before the domain can be considered validated and before the certificate can be issued. MPIC requirements apply to both Domain Control Validation (DCV) and Certificate Authority Authorization (CAA) checks.

Benefits of using corroboration

This redundancy provides stronger protection against security threats, helping catch and block unauthorized attempts to intercept or alter data as it travels across networks. For you, this means enhanced security and increased confidence that only authorized parties obtain certificates for your domains.

Items covered in this article

How does the MPIC process work?
- Domain control validation (DCV)
- DNS Certification Authority Authorization (CAA)
What do I need to do?

How does the MPIC process work?

To begin, DigiCert performs its standard validation check from our primary network. This check is then repeated from additional remote locations, each on different networks and in different geographical regions. The table below outlines the number of corroborations required for domain control to be verified, for CAA checks to pass, and for a certificate to be issued.

Corroborations required in the CA/Browser Forum

CA/Browser Forum Timelines	Number of Distinct Remote Network Perspectives Used	Number of Allowed Non-corroborations¹
Phase one: effective March 2025	Check from multiple network locations only.	Not applicable
Phase two: effective September 2025	Check from at least 2 remote network locations.	One non-corroboration allowed.
Phase three: effective February 2026	Check from at least 3 remote network locations and from at least 2 different Regional Internet Registries (RIRs).	One non-corroboration allowed.
Phase four: effective June 2026	Check from at least 4 remote network locations and from at least 2 different RIRs.	One non-corroboration allowed.
Phase five: effective December 2026	Check from at least 5 remote network locations and from at least 2 different RIRs.	One non-corroboration allowed.
¹When checking from 2 to 5 remote locations and RIRs, if more than one network perspective fails to corroborate (return the same results as) the primary network’s details, DigiCert validation and certificate issuance cannot proceed.

Domain control validation (DCV)

MPIC applies to all common domain control validation (DCV) methods, including:

DNS TXT record
DNS CNAME Record
Email to DNS TXT contact
Email to CAA contact
HTTP Practical Demonstration
- Domains and IP addresses
HTTP Practical Demonstration with a unique file name
ACME HTTP-01
ACME DNS-01

The corroboration requirements apply to each DCV method listed above. If an insufficient number of network locations corroborate the primary network’s details, the domain validation will fail, and the certificate cannot be issued. This redundancy ensures that only those with legitimate domain control can obtain certificates for said domains. Learn more about these domain control validation (DCV) methods.

DNS Certificate Authority Authorization (CAA) check

MPIC also applies to the CAA record check DigiCert performs to make sure we have permission to issue the certificate for a domain. Remember, before DigiCert can issue a TLS/SSL certificate or a Secure Email (S/MIME) certificate, we must check, process, and abide by the domain or email domain’s DNS CAA resource records. Learn more about the DNS CAA resource record check.

What do I need to do?

You should have little to do before we implement each phase of MPIC. However, for the HTTP Practical Demonstration DCV method, you may need to do some work beforehand. For other DCV methods and the CAA check, the tasks fall more into the troubleshooting category.

Start by auditing your current validation setup. Verify what DCV methods you are using. Are you using the HTTP Practical demonstration, DNS TXT record, or Email to CAA contact?

If using HTTP Practical Demonstration, check for anything that could block or delay validation requests from multiple locations, like strict network controls. See Add User Agents DigiCert DCV/1.1 and DigiCert DCV Bot/1.1 or IP addresses to your allowlist below.
If using DNS-based DCV methods, such as DNS TXT record or Email to DNS TXT contact, check for inconsistent DNS behavior. See Verify DNS record access below.

Add User Agents DigiCert DCV/1.1 and DigiCert DCV Bot/1.1 or IP addresses to your allowlist

If using the HTTP practical demonstration DCV methods and an allowlist to control inbound traffic, then action is required. Updating your allowlist ensures DigiCert can access the .txt file containing the random value at a predetermined location on your website.

Add the user agent or IP addresses to your allowlist:

Add both User Agents DigiCert DCV/1.12 and DigiCert DCV Bot/1.1 to your allowlist.

If possible, we recommend adding the User Agents to your allowlist. Adding the User Agents ensures you are covered if new IP addresses are introduced, as they automatically include all the IP addresses used by the MPIC agents.
Note: On February 24, 2026, DigiCert added the User Agent DigiCert DCV/1.12. If you are adding User Agents to an allowlist instead of the IP addresses, you must add both User Agents.
Add the following MPIC agent IP addresses to your allowlist:

MPIC agents' IP addresses	52.78.185.62 52.197.215.146 216.168.240.4 216.168.247.9 202.65.16.4 54.185.245.130 13.58.90.0 52.17.48.104 18.193.239.14 54.227.165.213 54.241.89.140
These are the IP addresses being used right now. However, we will continue to add more. If possible, we strongly recommend allowlisting the user agent instead.

Verify DNS record access

There is a chance you could experience a disruption to your certificate issuance process if using:

DNS-based DCV methods: DNS TXT record, DNS CNAME record, Email to DNS TXT contact, and Email to CAA contact
CAA resource records: Used to control which CAs can issue certificates for your domains

You should check that changes propagate reliably across all authoritative nameservers and that your TTL settings allow for timely updates.

Conducting these checks can help ensure that DigiCert can locate the random value or email contact within your DNS record and confirm access to the CAA resource record, thereby authorizing us to issue TLS and S/MIME certificates for your domains.

Troubleshooting MPIC validation issues

If you do experience issues, DigiCert recommends checking your domain's DNS configuration to ensure it is accessible from multiple regions. To check the configuration, you may need to contact your DNS provider.

choose your language