Free tool
CAA record check.
Check your CAA records to verify which certificate authorities are allowed to issue SSL/TLS certificates for your domain.
What are CAA records?
CAA (Certificate Authority Authorization) records let you specify which certificate authorities (CAs) are permitted to issue certificates for your domain. If a CA receives a certificate request for your domain and your CAA record doesn't list them, they must refuse to issue.
How it works
CAA records are DNS records with three parts:
flags
(usually 0), tag
(issue, issuewild, or iodef), and value
(the CA domain). For example: 0 issue "letsencrypt.org"
allows only Let's Encrypt to issue certificates.
Why it matters
Without CAA records, any CA in the world can issue a certificate for your domain. If an attacker tricks a CA into issuing a rogue certificate, they can impersonate your website. CAA records reduce this risk by limiting issuance to CAs you trust.
The three tags
issue— allows a CA to issue standard certificatesissuewild— allows a CA to issue wildcard certificatesiodef— specifies where to report policy violations (email or URL)
Example CAA records
Allow only Let's Encrypt
example.com. CAA 0 issue "letsencrypt.org"
example.com. CAA 0 issuewild "letsencrypt.org"
Allow Let's Encrypt + Digicert, with violation reporting
example.com. CAA 0 issue "letsencrypt.org"
example.com. CAA 0 issue "digicert.com"
example.com. CAA 0 iodef "mailto:security@example.com"
Block all certificate issuance
example.com. CAA 0 issue ";"
Useful for domains that should never have certificates (internal-only, parked domains).
Related tools
Monitor certificate issuance
DNS Doctors monitors CAA records and alerts you when they change or when certificates are issued outside your authorized CAs.
Learn more