Thanks for the response.
I don’t think https is blocked because I can browse to the website publically and reach it, just no certificate. This tells me 443 is open.
The 2nd point is working now, but not sure why. The email domain definitely has a MX record, perhaps the server needed a reboot before being able to run Certify, or perhaps enabling all features in IIS enabled some unmentioned prerequisite to make work?
There should be an instruction page that is a technical walk through how to set up a new server (including IIS config) / website with Certify. That way we can at least have a working starting point.
A new 2012 r2 server with IIS and a basic html page does not work with Certify. There must be prerequisites not being mentioned.