Domain control validation sunsets on July 15, 2025, putting many companies that rely on WHOIS email at risk for service disruption
New research from CSC, an enterprise-class domain security provider and world leader in domain management, SSL management, brand protection, and anti-fraud solutions, indicates that as many as 40% of enterprises are at risk of unexpected service outages caused by out-of-date secure sockets layer (SSL) certificates. This threat stems from the reliance on WHOIS-based email addresses for domain control validation (DCV) that will be officially deprecated on July 15, 2025.
CSC analyzed over 100,000 global SSL certificate records and found that many organizations still use WHOIS email as their primary method for domain control validation, despite a 2024 vote by the CA/Browser Forum that mandates the deprecation of WHOIS-based validation due to its associated security vulnerabilities. After July 15, 2025, certificate authorities (CAs) will no longer accept WHOIS email for DCV, making alternative validation methods essential for uninterrupted operations.
Compounding the issue, 17% of companies surveyed by CSC are unaware of their current DCV method, suggesting a widespread lack of visibility and preparedness within IT and security teams. To mitigate the risk, companies should immediately audit their certificate management workflows and migrate to accepted DCV alternatives such as domain name system (DNS)-based validation or file-based web token methods.
“For years, WHOIS-based email was seen as the easiest, non-technical DCV method. Organizations that have not switched to alternative DCV methods risk serious consequences—from website outages to critical service failures. But the changes don’t stop there,” cautions CSC’s senior director of Technology, Security Products and Services, Mark Flegg. “Organizations also need to bear in mind further industry-wide shifts that will take place in the coming years. Any short-term fixes need to be aligned with this long-term trajectory where automation of certificates and DCV will become unavoidable. Organizations absolutely need to start their prep work now.”
From March 15, 2026, certificate life cycles will begin to shorten drastically—from 367 days to 200, then 100, and finally just 47 days by 2029. Correspondingly, DCV re-use periods will reduce from 367 to 200, 100, and then just 10 days by 2028. That means enterprises will be facing up to eight certificate renewals per year. With DCV at 10 days, it could mean revalidation every time a certificate needs to be re-issued.
To support enterprises through these transitions, CSC offers a comprehensive suite of digital certificate solutions that can tailor to any organization’s workflow. Its newly launched Domain Control Validation as a Service (DCVaaS)—available free of charge to its clients—streamlines the validation process, reducing certificate renewal times by up to 99% and alleviating the manual workload for IT teams.