[discreditable]

It was always DNS. Unless you are getting EV the CAs usually verify ownership via email. Email can go anywhere the current MX record in DNS says it goes.

[LeonM]

This is why for EVs most CAs also do phone validation.

For stuff like Verified Mark Certificates (which is used for BIMI), it goes much further than that. VMCs are like EVs on steroids.

HN crowd can sometimes react very hostile towards having to pay anything at all for certificates, but there are real costs in such validations.