Email from the same domain?
Since it is so trivial to spoof an email, how could they even CONSIDER email from the domain as a "secure" method of validation?
On whois information not being valid, while the whois system has imploded if someone puts false information in whois and gets a certificate with it, it certainly isn't any LESS secure than allowing them to authenticate with a DNS TXT record or place a file on a webserver.
I did notice about a month ago when I went to try to get a certificate for a new domain name that Comodo no longer accepted gmail email addresses as contacts, even though that was how the domain was registered. Since the domain wasn't going to be used for email we hadn't even considered setting up email for it, so I had to jump through some hoops to make dns changes to set up MX records and set it up on a mail server JUST so that we could get the cert - only for us to revert back to no email as soon as the certificate was issued. Not overly complicated, just an extra hurdle on a Friday afternoon for an already rushed job. For the next one after that we just used "Lets Encrypt" and didn't bother going back to Comodo.