[tialaramex]

All new certificates for DNS names in the Web PKI today (and for some time now) must result from the CA having used one of the Ten Blessed Methods to validate the Applicants control over the name, regardless of who paid how much.

Let's Encrypt offered three of the Ten, but one was discovered to be flawed due to the way some major bulk hosting services are configured, so that leaves two (of Nine, since in practice any implementation of the Tenth Blessed Method is flawed the same way).

Even flawed Blessed Methods are far superior to the checking (basically none) we can reasonably expect from a normal person using a web browser. But still, improvements upon the Blessed Methods are a topic of public discussion, if you think you genuinely have a better way you should definitely let the CA/B Forum or m.d.s.policy know about it.