Automate AWS Certificate Manager email validation - AWS Certificate Manager
Validation email templatesValidation workflow
This documentation is a draft for private preview for regions in the AWS European Sovereign Cloud. Documentation content will continue to evolve. Published: January 3, 2026.

Automate AWS Certificate Manager email validation

Validation email templates

Validating a new certificate

Email template text:

Once you receive a new validation message from AWS, we recommend that you use it as the most up-to-date and authoritative template for your parser. Customers with message parsers designed before November, 2020, should note the following changes that may have been made to the template:

  • The email subject line now reads "Certificate request for domain name" instead of "Certificate approval for domain name".

  • The AWS account ID is now presented without dashes or hyphens. 

  • The Certificate Identifier now presents the entire certificate ARN instead of a shortened form, for example, arn:aws:acm:us-east-1:000000000000:certificate/3b4d78e1-0882-4f51-954a-298ee44ff369 rather than 3b4d78e1-0882-4f51-954a-298ee44ff369.

  • The approval form opened by clicking the certificate approval URL now contains the approval button. The name of the approval button div is now approve-button instead of approval_button.

  • Validation messages for both newly requested certificates and renewing certificates have the same email format.

Validation workflow

This section provides information about the renewal workflow for email-validated certificates.

  • When the ACM console processes a multi-domain certificate request, it sends validation email messages to the domain name or the validation domain that you specify when you request a public certificate. The domain owner needs to validate an email message for each domain before ACM can issue the certificate. For more information, see Using Email to Validate Domain Ownership.

  • Email validation for multi-domain certificate requests using the ACM API or CLI results in an email message being sent by each requested domain, even if the request includes subdomains of other domains in the request. The domain owner needs to validate an email message for each of these domains before ACM can issue the certificate.

    If you resend emails for an existing certificate through the ACM console, emails will be sent to the validation domain specified in the original certificate request, or the exact domain if no validation domain was specified. To receive validation emails at a different domain, you can request a new certificate, specifying the validation domain that you want to use for validation. Alternatively, you can call ResendValidationEmail with the ValidationDomain parameter using the API, SDK, or CLI. However, the validation domain specified in the ResendValidationEmail request is only used for that call and is not saved to the certificate Amazon Resource Name (ARN) for future validation emails. You must call ResendValidationEmail each time you wish to receive a validation email at a domain name that was not specified in the original certificate request.

    Note

    Prior to November, 2020, customers needed to validate only the apex domain and ACM would issue a certificate that also covered any subdomains. Customers with message parsers designed before that time should note the change to the email validation workflow.

  • With the ACM API or CLI, you can force all validation email messages for a multi-domain certificate request to be sent to the apex domain. In the API, use the DomainValidationOptions parameter of the RequestCertificate action to specify a value for ValidationDomain, which is a member of the DomainValidationOption type. In the CLI, use the --domain-validation-options parameter of the request-certificate command to specify a value for ValidationDomain.