CA/Browser Forum Domain Validation Changes in 2026
Major changes are coming to how SSL certificates verify domain ownership. Understand DNSSEC enforcement, email/phone DCV deprecation, and prepare your organization for compliance.
Executive Summary
The CA/Browser Forum has approved several ballots that fundamentally change how Certificate Authorities (CAs) verify domain ownership before issuing SSL certificates. These changes, effective from March 2026 through 2028, aim to strengthen the security of the Web PKI ecosystem by requiring DNSSEC validation and phasing out weaker email and phone-based validation methods.
Quick Action Checklist
- If you have DNSSEC enabled: Test configuration before March 2026
- If you use email DCV: Plan migration to DNS/HTTP validation by 2027
- Consider implementing ACME automation for certificate renewals
- Review your DNS provider's DNSSEC status and settings
Understanding Domain Control Validation (DCV)
Domain Control Validation (DCV) is the foundational step in SSL certificate issuance. Before any Certificate Authority issues a certificate for your domain, they must verify that you actually control that domain. This prevents attackers from obtaining fraudulent certificates for domains they don't own.
The CA/Browser Forum's Baseline Requirements define the approved methods CAs can use for DCV. Currently, these include:
Email-Based Methods
- admin@, administrator@, hostmaster@
- postmaster@, webmaster@
- WHOIS contact emails
- DNS TXT record email addresses
⚠️ Being deprecated by March 2028
DNS/HTTP Methods
- DNS TXT record validation
- DNS CNAME record validation
- HTTP file-based (.well-known)
- IP address validation
✓ Recommended methods going forward
The CA/Browser Forum is an industry group comprising major CAs (DigiCert, Sectigo, GlobalSign, etc.) and browser vendors (Google, Apple, Mozilla, Microsoft). Their decisions become binding standards for all publicly-trusted certificates. These 2026 changes represent the most significant DCV updates in years.
DNSSEC Requirements (Ballot SC-085v2)
Effective Date: March 15, 2026
Ballot SC-085v2 mandates that Certificate Authorities validate DNSSEC when performing DNS lookups for domain validation and CAA record checks. This change ensures that if a domain has DNSSEC enabled, the cryptographic chain of trust is verified before issuing certificates.
What is DNSSEC?
DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records. When properly configured, it prevents attackers from spoofing DNS responses—a technique that could otherwise be used to fraudulently prove domain control during certificate validation.
Critical Impact: Misconfigured DNSSEC
If your domain has DNSSEC enabled but misconfigured, certificate issuance will fail after March 15, 2026. Common issues include:
- Expired DNSSEC signatures (RRSIG records)
- Broken delegation chain (DS/DNSKEY mismatch)
- Missing NSEC/NSEC3 records
- Algorithm rollover errors
Test Your DNSSEC Configuration
Before the March 2026 deadline, verify your DNSSEC configuration using these authoritative tools:
- DNSViz (dnsviz.net) - Visual DNSSEC validation chain analysis
- Verisign DNSSEC Analyzer - Comprehensive delegation checking
- ICANN DNSSEC Validation Tool - Root zone verification
- Use our CAA Lookup tool to verify CAA records are resolving correctly
Important: If your domain does NOT have DNSSEC enabled (the majority of domains), these changes do not affect you directly. DNSSEC remains optional—the new requirement only mandates validation when DNSSEC is present.
Sunset of Email & Phone-Based DCV (Ballot SC-090)
Ballot SC-090 establishes a multi-year phase-out of email and phone-based domain validation methods. This represents a fundamental shift in how domain ownership is verified.
Complete Deprecation Timeline
Crossover method (3.2.2.4.8) sunset. Email and phone-based methods officially discouraged but still available.
Phone-based validation methods fully sunset. No new certificates using phone verification.
Email-based validation methods completely sunset. All certificates must use DNS, HTTP, or IP-based validation.
Why Email DCV Is Being Deprecated
The CA/Browser Forum identified several security vulnerabilities in email-based domain validation:
MX Hijacking
BGP attacks can redirect mail server traffic to attacker-controlled servers
Weak Binding
Email access doesn't cryptographically prove domain control
Third-Party Risks
Email provider compromises can enable fraudulent validation
MPIC Limitations
Multi-perspective validation can't fully protect email routes
Affected DCV Methods
The following Baseline Requirements methods are being sunset:
- 3.2.2.4.2 - Email to Domain Contact
- 3.2.2.4.4 - Constructed Email to Domain
- 3.2.2.4.5 - Phone Contact with Domain
- 3.2.2.4.8 - Crossover Method (using existing certificate)
- 3.2.2.4.13 - Email to DNS TXT Contact
- 3.2.2.4.14 - Email to DNS CAA Contact
- 3.2.2.4.15 - Phone with DNS TXT Record
- 3.2.2.4.16 - Phone with DNS CAA Record
DNSSEC Exception for Email DCV (Ballot SC-094v2)
Passed: January 2026
Ballot SC-094v2 creates a practical exception: email-based DCV methods are exempt from DNSSEC enforcement requirements. Since email validation is already scheduled for deprecation by 2028, requiring CAs to implement DNSSEC validation for a dying method would add unnecessary complexity.
This ballot passed with unanimous approval from both CA and browser voting members, demonstrating industry consensus on pragmatic implementation of security improvements.
Practical Implication
If you currently use email-based validation and have DNSSEC configured, you can continue using email DCV until its sunset date without DNSSEC blocking your certificate issuance. However, we still recommend migrating to DNS/HTTP-based validation as soon as practical.
What This Means for Website Owners
Impact by Current Validation Method
| Current Method | Impact | Action Required |
|---|---|---|
| DNS TXT/CNAME | Low impact | Test DNSSEC if enabled |
| HTTP File | Low impact | Test DNSSEC if enabled |
| ACME (Certbot, etc.) | No action needed | Already uses approved methods |
| Email (admin@, etc.) | Medium impact | Migrate by 2028 |
| Phone verification | High impact | Migrate by 2027 |
Benefits of Migration
While these changes require some adjustment, they align with industry best practices:
- Stronger security: DNS/HTTP methods provide cryptographic proof of domain control
- Automation-ready: DNS and HTTP methods work with ACME for automatic renewals
- Future-proof: Prepares you for shorter certificate lifetimes coming in 2026-2029
- Faster issuance: Automated validation is faster than email-based human processes
Preparing for 2026 and Beyond
Step-by-Step Preparation Checklist
Audit Current DCV Methods
Contact your certificate provider or check recent certificate orders to identify which validation methods you're using. Document all domains and their validation preferences.
Check DNSSEC Status
Use DNSViz or similar tools to verify your domain's DNSSEC configuration. If DNSSEC is enabled, ensure the signature chain is valid and not expiring before your next renewal.
Test DNS/HTTP Validation
Before your next renewal, try DNS TXT or HTTP file-based validation. Ensure you have DNS panel access or web server write permissions as needed.
Implement Certificate Automation
Consider ACME-based automation (Certbot, acme.sh, or your hosting provider's automatic SSL). This prepares you for shorter lifetimes and eliminates manual renewal processes.
Review CAA Records
Ensure your CAA records are correctly configured and include your preferred certificate authorities. CAA lookups are now subject to DNSSEC validation.
Recommended Tools
- CSR Generator - Create certificate signing requests
- SSL Checker - Verify current certificate status and expiration
- CAA Lookup - Check CAA record configuration
- External: DNSViz, Verisign DNSSEC Analyzer, Hardenize
Get SSL Certificates with Modern Validation
Our certificates support DNS and HTTP-based validation methods, ensuring compliance with 2026 requirements.
Domain Validated SSL
Starting at $9.99/year
- 256-bit Encryption
- 99.9% Browser Trust
- 24/7 Support
Frequently Asked Questions
Sources & References
Official documentation and industry standards cited in this article
- Ballot SC-085v2: DNSSEC for DCV and CAACA/Browser Forum·Official·Accessed January 2026
- Ballot SC-090: Sunset Email/Phone-Based DCV MethodsCA/Browser Forum·Official·Accessed January 2026
- Ballot SC-094v2: DNSSEC Exception in Email DCV MethodsCA/Browser Forum·Official·Accessed January 2026
- RFC 4033 - DNS Security Introduction and RequirementsInternet Engineering Task Force (IETF)·RFC·Accessed January 2026
- Baseline Requirements for TLS Server Certificates v2.2.2CA/Browser Forum·Standard·Accessed January 2026
- NIST SP 800-81-2: Secure Domain Name System Deployment GuideNational Institute of Standards and Technology·Standard·Accessed January 2026