DigiCert KnowledgeBase - Technical Support-hero

Knowledge Base

DigiCert Using MPIC to Verify Domain Control and Perform CAA Checks

Solution ID : SO499
Last Modified : 01/17/2026

Important: This is a dynamic article. We will update it as more information becomes available. Save this page and check back periodically for the latest information.

Starting February 24, 2026, DigiCert will update MPIC to enforce corroboration using at least three remote network locations from at least two different Regional Internet Registry regions to comply with the next phase of CA/Browser Forum MPIC requirements.

Background

In March 2025, DigiCert started checking domain control and CAA record details from multiple network locations per CA Browser Forum requirements, in advance of future phases of Multi-Perspective Issuance Corroboration (MPIC). In September 2025, DigiCert enhanced its certificate validation and issuance process by implementing the next phase of MPIC and enforcing corroboration using at least two remote network locations.

Important: On February 24, 2026, DigiCert will add another User Agent and two new IP addresses to the MPIC agents' IP addresses. See the Add User Agents DigiCert DCV /1.1 and DigiCert DCV Bot/1.1 or the IP addresses to your allowlist section below.


What is corroboration?

Corroboration means that multiple network perspectives must return the same DNS record details or website file contents for a given domain before the domain can be considered validated and before the certificate can be issued. MPIC requirements apply to both Domain Control Validation (DCV) and Certificate Authority Authorization (CAA) checks.

Benefits of using corroboration

This redundancy provides stronger protection against security threats, helping catch and block unauthorized attempts to intercept or alter data as it travels across networks. For you, this means enhanced security and increased confidence that only authorized parties obtain certificates for your domains.

Items covered in this article

 

How does the MPIC process work?


To begin, DigiCert performs its standard validation check from our primary network. This check is then repeated from additional remote locations, each on different networks and in different geographical regions. The table below outlines the number of corroborations required for domain control to be verified, for CAA checks to pass, and for a certificate to be issued.

Corroborations required in the CA/Browser Forum

CA/Browser Forum Timelines Number of Distinct Remote Network Perspectives Used Number of Allowed Non-corroborations
Phase one: effective March 2025 Check from multiple network locations only. Not applicable
Phase two: effective September 2025 Check from at least 2 remote network locations. One non-corroboration allowed.1
Phase three: effective February 2026 Check from at least 3 remote network locations and from at least 2 different Regional Internet Registries (RIRs). One non-corroboration allowed.1

1When checking from 2 to 5 remote locations and RIRs, if more than one network perspective fails to corroborate (return the same results as) the primary network’s details, DigiCert validation and certificate issuance cannot proceed. 


Domain control validation (DCV)

MPIC applies to all common domain control validation (DCV) methods, including:

  • DNS TXT record
  • DNS CNAME Record
  • Email to DNS TXT contact
  • Email to CAA contact
  • HTTP Practical Demonstration
    • Domains and IP addresses
  • HTTP Practical Demonstration with a unique file name
  • ACME HTTP-01
  • ACME DNS-01 

The corroboration requirements apply to each DCV method listed above. If an insufficient number of network locations corroborate the primary network’s details, the domain validation will fail, and the certificate cannot be issued. This redundancy ensures that only those with legitimate domain control can obtain certificates for said domains. Learn more about these domain control validation (DCV) methods.
 

DNS Certificate Authority Authorization (CAA) check

MPIC also applies to the CAA record check DigiCert performs to make sure we have permission to issue the certificate for a domain. Remember, before DigiCert can issue a TLS/SSL certificate or a Secure Email (S/MIME) certificate, we must check, process, and abide by the domain or email domain’s DNS CAA resource records. Learn more about the DNS CAA resource record check.
 

What do I need to do?

You should have little to do before we implement this next phase of MPIC. However, depending on the DCV method you are using, there may be things you need to do while other things fall more in the troubleshooting category.

Start by auditing your current validation setup. Verify what DCV methods you are using. Are you using the HTTP Practical demonstration, DNS TXT record, or Email to CAA contact?

  • If using HTTP Practical Demonstration, check for anything that could block or delay validation requests from multiple locations, like strict network controls. See Add User Agent DigiCert DCV Bot/1.1 to your allowlist below.
  • If using DNS-based DCV methods, such as DNS TXT record or Email to DNS TXT contact, check for inconsistent DNS behavior. See Verify DNS record access below.
     

Add User Agents DigiCert DCV /1.1 and DigiCert DCV Bot/1.1 or IP addresses to your allowlist

If using the HTTP practical demonstration DCV methods and an allowlist to control inbound traffic, then action is required. Updating your allowlist ensures DigiCert can access the .txt file containing the random value at a predetermined location on your website.

Before September 1, 2025, add the user agent or IP addresses to your allowlist:

  • Add both User Agents DigiCert DCV /1.12 and DigiCert DCV Bot/1.1 to your allowlist.
    If possible, we recommend adding the User Agents to your allowlist. Adding the User Agents ensures you are covered if new IP addresses are introduced, as they automatically include all the IP addresses used by the MPIC agents.

    2    Note:     On February 24, 2026, DigiCert will add another User Agent marked with a superscript 2 (2) above. If you are adding User Agents to your allowlist instead of the IP addresses, you must add both User Agents.

  • Add the following MPIC agent IP addresses to your allowlist:

  •  MPIC agents' IP addresses      
     
    • 52.78.185.623
    • 52.197.215.1463
    • 216.168.240.4
    • 216.168.247.9
    • 202.65.16.4
    • 54.185.245.130              
    • 13.58.90.0
    •  52.17.48.104
    • 18.193.239.14     
    • 54.227.165.213 
    • 54.241.89.140                              

    These are the IP addresses being used right now. However, we will continue to add more. If possible, we strongly recommend allowlisting the user agent instead. 

    3Note: on February 24, 2026, DigiCert will add two new IP addresses marked with a superscript 3 (3).


Verify DNS record access

There is a chance you could experience a disruption to your certificate issuance process if using:

  • DNS-based DCV methods: DNS TXT record, DNS CNAME record, Email to DNS TXT contact, and Email to CAA contact
  • CAA resource records: Used to control which CAs can issue certificates for your domains

You should check that changes propagate reliably across all authoritative nameservers and that your TTL settings allow for timely updates.

Conducting these checks can help ensure that DigiCert can locate the random value or email contact within your DNS record and confirm access to the CAA resource record, thereby authorizing us to issue TLS and S/MIME certificates for your domains.
 

Troubleshooting MPIC validation issues

If you do experience issues, DigiCert recommends checking your domain's DNS configuration to ensure it is accessible from multiple regions. To check the configuration, you may need to contact your DNS provider.

  • DigiCert Logo

    The most-trusted global provider of high-assurance TLS/SSL, PKI, IoT and signing solutions.