Multi-Perspective Issuance Corroboration (aka MPIC) is a process that uses two or more independent global networks to verify domain validation resource data. All Certificate Authorities (CAs) must complete MPIC checks during the domain validation process for SSL and S/MIME email certificates. 

A certificate may not be issued until all required MPIC checks are successful, meaning that every remote perspective can access your DCV resources and gets the same result.

The following scenarios commonly cause MPIC checks to fail:

  • Geo-restricted access to HTTP endpoints
  • Firewalls restricting traffic from specific regions or IP addresses
  • Static firewall rules allowing only known IP addresses
  • Blocked/filtered User-Agent headers
  • DNS responses containing mismatched data in different query locations
  • DNS/file resources are too short-lived or deleted too quickly before validation is done


According to Sectigo, the best practices are to allow global access to your domain validation resources and to retain those DCV resources until after the certificate has been issued. There are no specific IP addresses or network locations given, so you should not restrict HTTP access to known IPs or User-Agent headers.

For more information on MPIC enforcement timelines and impacts, check the Sectigo MPIC FAQ.