Menu
Fix deliverability Security Pricing
Theme
Security

CAA Records Explained

What CAA records do, how they prevent unauthorized SSL/TLS certificate issuance, and a step-by-step setup guide for your domain.

January 27, 2026

CAA (Certificate Authority Authorization) records are one of the simplest and most effective DNS security measures you can deploy. They tell certificate authorities which ones are allowed to issue certificates for your domain — and it takes about two minutes to set up.

Why CAA records matter

Without CAA records, any certificate authority in the world can issue an SSL/TLS certificate for your domain. If an attacker convinces a CA to issue a rogue certificate (through social engineering, domain validation tricks, or compromising the CA), they can impersonate your website.

CAA records limit issuance to only the CAs you explicitly authorize. Since January 2017, all CAs are required to check CAA records before issuing certificates. If your CAA record doesn't list them, they must refuse.

How CAA records work

A CAA record has three parts:

  • Flags: Usually 0. If set to 128, the CA must refuse issuance if it doesn't understand the tag.
  • Tag: issue (standard certs), issuewild (wildcard certs), or iodef (violation reporting)
  • Value: The domain of the authorized CA (e.g., letsencrypt.org, digicert.com)

Setup guide

Step 1: Identify your CAs

Check which certificate authorities have issued certificates for your domain. You can use Certificate Transparency logs to find existing certificates. Common CAs:

  • letsencrypt.org — Let's Encrypt (most common for automated certificates)
  • digicert.com — DigiCert / GeoTrust / RapidSSL
  • sectigo.com — Sectigo (formerly Comodo)
  • amazonaws.com — AWS Certificate Manager
  • pki.goog — Google Trust Services
  • comodoca.com — Comodo CA

Step 2: Create your CAA records

Add one issue record per authorized CA. If you use wildcard certificates, add issuewild records too:

example.com. CAA 0 issue "letsencrypt.org"
example.com. CAA 0 issue "digicert.com"
example.com. CAA 0 issuewild "letsencrypt.org"
example.com. CAA 0 iodef "mailto:security@example.com"

Step 3: Add violation reporting

The iodef tag tells CAs where to report policy violations. If a CA receives a certificate request that violates your CAA policy, they can notify you:

example.com. CAA 0 iodef "mailto:security@example.com"

Step 4: Test

After adding CAA records, verify that your existing certificate renewal process still works. Try issuing a test certificate from your authorized CA to confirm the records are correct.

Edge cases

  • Subdomain inheritance: CAA records are inherited by subdomains unless overridden. A CAA record on example.com applies to www.example.com unless www has its own CAA records.
  • CNAME domains: If a subdomain has a CNAME, the CA follows the CNAME and checks the target domain's CAA records. This can be confusing — document your CNAME targets.
  • Empty CAA records: example.com. CAA 0 issue ";" blocks ALL certificate issuance. Use this for domains that should never have certificates.

Monitoring

CAA records are only checked at issuance time. You should also monitor Certificate Transparency logs for unexpected certificates issued for your domain, regardless of your CAA configuration.

Related tools

/tools/caa-check /tools/dnssec-check Security audit

Related posts

DNS Drift: What to Monitor
The DNS change feed concept — what DNS changes matter, why they happen silently, and how to catch drift before it causes incidents.
DNSSEC in Plain English
What DNSSEC protects against, how the chain of trust works from root to your zone, real-world tradeoffs, and when to deploy it.
Need help with this?
DNS Doctors offers continuous monitoring and white-glove managed DNS. Free tools to start, managed plans to keep it healthy.