Skip to content
← All articles

CAA DNS Record: Control Which CAs Issue Your SSL

A CAA (Certification Authority Authorization) record is a DNS record that declares which certificate authorities (CAs) are allowed to issue SSL/TLS certificates for your domain. When a CAA record exists, every CA must check it before issuing and must refuse if it is not listed. It is a guardrail against mistaken or fraudulent certificate issuance.

This guide covers what CAA does, the issue, issuewild and iodef tag syntax, ready-made examples for Let's Encrypt and commercial CAs, why the check is mandatory, and how to verify your record.

What a CAA record is and why you need it

CAA is defined in RFC 8659. Since September 2017, checking CAA has been mandatory for all public CAs under the CA/Browser Forum rules. Without a CAA record, any CA may issue a certificate for your domain; with one, issuance is limited to the list you control.

In practice: if an attacker or a misconfigured process tries to obtain a certificate from an unlisted CA, that CA sees your CAA and refuses. The iodef tag also lets you receive reports about such attempts.

CAA syntax: issue, issuewild, iodef

A record has a flag (usually 0), a tag and a value. The three core tags:

TagPurposeExample value
issueWhich CA may issue standard certificatesletsencrypt.org
issuewildWhich CA may issue wildcard certificates (*.example.com)digicert.com
iodefWhere to report policy violations (email/URL)mailto:security@example.com

CAA record examples

Allow issuance only via Let's Encrypt and send reports to an inbox:

example.com.  IN  CAA 0 issue "letsencrypt.org"
example.com.  IN  CAA 0 iodef "mailto:security@example.com"

Allow standard certs via Let's Encrypt but wildcards only via DigiCert:

example.com.  IN  CAA 0 issue "letsencrypt.org"
example.com.  IN  CAA 0 issuewild "digicert.com"

Forbid any issuance at all (empty issue value):

example.com.  IN  CAA 0 issue ";"

How to check a domain's CAA record

With dig:

dig CAA example.com +short

An empty answer means no CAA is set and any CA may issue. Check all DNS records including CAA with enterno.io's free DNS lookup tool, and validate the certificate itself with the SSL certificate checker.

Common mistakes

  • CAA at the wrong level. The record is looked up from the exact name upward; www.example.com inherits the CAA on example.com if it has none of its own.
  • Forgetting issuewild. With only issue, wildcards use it too; but once you set issuewild, it fully replaces issue for wildcard certs.
  • Wrong CA identifier. The value must match the CA's identifier exactly (e.g. letsencrypt.org, not Let's Encrypt).

Frequently Asked Questions

Is a CAA record required?

No, CAA is not mandatory, but it is strongly recommended. Without it, any public CA may issue a certificate for your domain. With CAA you explicitly limit the set of trusted authorities, reducing the risk of unauthorized issuance.

Does CAA slow down issuance?

Practically no. The CA performs one extra CAA DNS Lookup before issuing. That is a fraction of a second and does not affect how quickly you get a certificate via ACME or manual issuance.

What happens when I switch CAs?

Before moving to a new authority, add it to the issue tag (and issuewild if needed). Otherwise the new CA will be refused at the CAA check and cannot issue your certificate.

Do all DNS providers support CAA?

Most modern DNS hosts support the CAA type. If yours does not, move to a DNS provider that does — otherwise you cannot set an issuance policy at all.

How do I get violation alerts?

Add an iodef tag with a mailto: or https:// value. When issuance is attempted against your policy, a supporting CA sends a report to that address. iodef support depends on the specific authority.

Check your website right now

Check your site's DNS →
More articles: DNS
DNS
DNS Leak: What It Is, How to Test and Fix
15.04.2026 · 215 views
DNS
DNS_PROBE_FINISHED_NXDOMAIN Fix
23.06.2026 · 79 views
DNS
Wildcard DNS Records: Use Cases and Pitfalls
15.04.2026 · 287 views
DNS
DNS TTL Guide: Optimal Values for Every Record Type
16.03.2026 · 320 views