Cloudflare Docs
SSL/TLS
Cloudflare Docs
SSL/TLS
Search icon (depiction of a magnifying glass)
GitHub icon
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)
  1. Products
  2. SSL/TLS
  3. ...
  4. ...
  5. Methods
  6. Email

Email DCV method

Email based validation will send an approval email to the contacts listed for a given domain in WHOIS, along with the following addresses: admin@, administrator@, hostmaster@, postmaster@, and webmaster@.

​​ Limitations

Based on your chosen Certificate Authority, you may not be able to use email verification with advanced certificates.

Selecting Let’s Encrypt as a CA limits a certificate 90 days for the Certificate Validity Period.

If using the API to order your certificate, this action also defaults cloudflare_branding to false.

​​ Setup

​​ Specify DCV method

If you want to use a Universal SSL certificate, you will need to edit the validation_method via the API and specify your chosen validation method.

Alternatively, you could order an advanced certificate via the dashboard or the API.

​​ View DCV values

Once you specify your chosen validation method, you can access the validation values by:

  • Going to SSL/TLS > Edge Certificates in the dashboard and selecting a certificate.
  • Getting certificate details by making a GET request with status=pending_validation in the request parameter and finding the validation_method and validation_records.

Once you locate your certificate, find the following values:

  • API: emails
  • Dashboard: Certificate validation email recipients.

​​ Complete DCV

The addresses listed in this field will receive an email from support@certvalidate.cloudflare.com. They should either click Review Certificate Request or the https://certvalidate.cloudflare.com hyperlink.

Example of the Certificate Validation Email

As soon as the domain owner has clicked the link in this email and clicked Approve on the validation page, the certificate will move through the various statuses until it becomes Active.

Once you update your DNS records, you can either wait for the next retry or request an immediate recheck.

To request an immediate recheck, send another PATCH request with the same validation_method as your current validation method.

​​ Renew DCV tokens

If possible, DCV tokens for proxied hostnames are always renewed via HTTP.

However, some certificates — for example, if you are using wildcard certificates or certificates with multiple SANs or your hostname is not proxied — are not eligible for HTTP validation.

If your certificate is not eligible for HTTP validation, you will need to repeat the DCV process with your chosen method. Cloudflare generates these renewal TXT tokens 30 days before certificate expiration.