In the field of digital security, SSL certificates play a crucial role in safeguarding the security of websites and user data. The domain name verification process during the certificate issuance is an important step to ensure that certificates are only issued to legitimate domain name owners. Recently, major Certificate Authorities (CAs) are undergoing a significant transformation - gradually phasing out the domain name verification method based on WHOIS emails. There are profound reasons behind this transformation, and it will also have a significant impact on website operators and certificate applicants.

The Cause of the Transformation: The Defects of WHOIS Email Verification

Whois verification has been used since the beginning of the development of the Internet, which is verified by querying the email address in the Whois registration information of the domain name. However, there are obvious security loopholes in this way:

1. Security risk: Whois information is public, anyone can query the domain name's registered email address, which provides an opportunity for attackers.

2. Privacy issues: With the implementation of global privacy protection regulations (e.g. GDPR), public Whois information gradually conflicts with privacy protection requirements.

3. Insufficient verification reliability: Whois may not accurately reflect the actual controller of a domain name, increasing the risk of certificate fraud.

In recent years, the frequent occurrence of domain name hijacking, certificate fraud and other security incidents has prompted CA agencies to re-examine the security of the authentication mechanism. CA/Browser Forum (an industry organization composed of certificate authorities and browser vendors) has formulated a new policy requiring that the Whois authentication method be gradually phased out from January 8, 2025 onwards.

The Phase-out Timelines of Major CAs

Major CAs have responded to this change and announced their respective deadlines to WHOIS-based DCV method.

DigiCert stopped using HTTPS web-based WHOIS lookups to obtain domain contact information for domain name verification on January 8, 2025, and also ceased reusing existing domain name verifications obtained through HTTPS web-based WHOIS lookups. On May 8, 2025, it will completely stop supporting the WHOIS-based DCV method. On July 8, 2025, it is going to stop reusing all existing WHOIS-based domain name verifications.

Sectigo also took action. On January 15, 2025, it prohibited the use of WHOIS-based email verification for .nl top-level domains. On June 15, 2025, it will no longer support WHOIS-based email DCV and invalidate existing relevant DCV records.

GlobalSign has suggested monitoring the expiration dates of domains in user’s account and re-validating them prior to January 15th to avoid uninterrupted certificate issuance for those domains, and also recommended using a method other than WHOIS-provided email addresses since domains using that method will all be prohibited by July 15th, 2025. 

The Advantages of Domain Administrator Email

After phasing out WHOIS-based email verification, major CAs have started to strongly promote the use of domain administrator email addresses for verification, such as admin@, administrator@, webmaster@, etc. This approach has distinct advantages:

1. Higher security: the administrator email is directly associated with the domain name itself, which reduces the uncertainty in the verification process and lowers the risk of human error.

2. Privacy protection: no longer relies on publicly available Whois information, better protecting the privacy of the domain owner.

3. Standardized Process: The use of a standard administrator email address makes the verification process more standardized and uniform.

In addition, CAs also recommend the use of other authentication methods, such as DNS record authentication and file authentication (HTTP/HTTPS), which are also highly secure and reliable.

Recommendations for Action

To ensure a smooth migration of the verification method, users should take the following actions:

1. Set up administrator email: Configure standard administrator emails (such as admin@, webmaster@) for the domain name, and ensure that these emails can receive messages normally.

2. Test verification methods: Test the DNS record verification or file verification methods in advance to ensure their availability.

3. Update certificate management processes: For automated processes that rely on Whois verification, adjustments should be made in a timely manner to adapt to the new verification method.

4. Pay attention to CA notifications: Keep a close eye on the policy updates of major CA institutions to ensure that you are informed of the latest requirements in a timely manner.

Summary

The elimination of Whois-based email verification and the adoption of more secure domain name administrator email verification is an important progress in the field of Internet security. This change not only improves the security and reliability of domain name verification, but also lays a more solid foundation for the development of the digital economy. With the full implementation of the new policy, we have reason to believe that the Internet will usher in a new era of greater security and trust.

Domain owners and business users should take early action to ensure that the migration of authentication methods is completed smoothly to avoid disruption of the certificate management process.

Hope this article helps you smoothly transition to domain administrator email verification. If you have any further confusion, feel free to contact NicSRS.