The Google Chrome team has proposed Ballot SC-090, which sets a multi-year timeline to phase out legacy domain and IP address validation methods that rely on email, phone, or “crossover” techniques (using IP address validation to validate domain names). The ballot marks a significant step toward allowing only validation methods that support full automation.

This proposal builds on the automation progress introduced in Ballot SC-81, which began reducing the reuse period for domain and IP address validation. Under SC-090, that period will continue to shorten over the next several years, ultimately landing at 10 days in 2029.

It’s undeniable that automation is now essential to modern certificate lifecycle management. But these updates will require adjustments for domain owners still using the soon-to-be-deprecated validation methods.

Key changes and timeline

Phase 1: March 15, 2026

Method 3.2.2.4.8 (Domain validation via IP address validation) will be prohibited. 

The Baseline Requirements have allowed domain owners to validate their domains by validating the IP address that the domain points to. However, security experts have found some potential weaknesses with this approach. Although these weaknesses would be unlikely to be exploited in practice, this method will no longer be allowed on or after March 15, 2026.

Phase 2: March 15, 2027

The following postal, fax, and phone-based contact methods will be sunset: 

• Method 3.2.2.4.16: Phone Contact with DNS TXT Record Phone Contact 

• Method 3.2.2.4.17: Phone Contact with DNS CAA Phone Contact 

• Method 3.2.2.5.2: Email, Fax, SMS, or Postal Mail to IP Address Contact 

• Method 3.2.2.5.5: Phone Contact with IP Address Contact 

Since these methods use phone calls, postcards, or fax messages, they rely on manual, human intervention to perform the validation. Such manual steps run counter to the Google Chrome team’s goal of requiring ubiquitous automation for validating domain names and IP addresses included in certificates. As a result, these methods will not be allowed on or after March 15, 2027.

Phase 3: March 15, 2028

The last phase eliminates the remaining email-based validation methods: 

• Method 3.2.2.4.4: Constructed Email to Domain Contact 

• Method 3.2.2.4.13: Email to DNS CAA Contact 

• Method 3.2.2.4.14: Email to DNS TXT Contact 

As a third and final step, this phase involves disallowing the use of a method popular with organizations: email-based validation. This method's relative ease of use plays a major role in its popularity, so this deprecation will likely be the most impactful. With that in mind, the Chrome team is providing more time for affected organizations to transition to automated methods.

Impact on domain owners

Domain owners who use these methods to validate their domains and IP addresses need to plan to migrate to more modern, automated methods. Automated approaches like DNS-based or HTTP-based validation are particularly good options because they allow for a certificate lifecycle management solution to automatically perform validation on an as-needed basis with no human intervention.

The path ahead: Preparing for full automation

Although Ballot SC-090 hasn’t yet been formally voted on by the CA/Browser Forum, it already has support from multiple root programs beyond Chrome, making its passage highly likely. The direction is clear: The industry is moving toward fully automated, continuously validated certificate management.

Organizations that begin adapting now will be best positioned to maintain compliance and efficiency as manual validation methods are retired. Ready to get started? Get in touch to learn how DigiCert Trust Lifecycle Manager and its UltraDNS domain validation integration can help enable secure, automated validation at scale.