A CAA (Certification Authority Authorization) record is a DNS record that declares which certificate authorities (CAs) are allowed to issue SSL/TLS certificates for your domain. When a CAA record exists, every CA must check it before issuing and must refuse if it is not listed. It is a guardrail against mistaken or fraudulent certificate issuance.
This guide covers what CAA does, the issue, issuewild and iodef tag syntax, ready-made examples for Let's Encrypt and commercial CAs, why the check is mandatory, and how to verify your record.
What a CAA record is and why you need it
CAA is defined in RFC 8659. Since September 2017, checking CAA has been mandatory for all public CAs under the CA/Browser Forum rules. Without a CAA record, any CA may issue a certificate for your domain; with one, issuance is limited to the list you control.
In practice: if an attacker or a misconfigured process tries to obtain a certificate from an unlisted CA, that CA sees your CAA and refuses. The iodef tag also lets you receive reports about such attempts.
CAA syntax: issue, issuewild, iodef
A record has a flag (usually 0), a tag and a value. The three core tags:
| Tag | Purpose | Example value |
|---|---|---|
issue | Which CA may issue standard certificates | letsencrypt.org |
issuewild | Which CA may issue wildcard certificates (*.example.com) | digicert.com |
iodef | Where to report policy violations (email/URL) | mailto:security@example.com |
CAA record examples
Allow issuance only via Let's Encrypt and send reports to an inbox:
example.com. IN CAA 0 issue "letsencrypt.org"
example.com. IN CAA 0 iodef "mailto:security@example.com"Allow standard certs via Let's Encrypt but wildcards only via DigiCert:
example.com. IN CAA 0 issue "letsencrypt.org"
example.com. IN CAA 0 issuewild "digicert.com"Forbid any issuance at all (empty issue value):
example.com. IN CAA 0 issue ";"How to check a domain's CAA record
With dig:
dig CAA example.com +shortAn empty answer means no CAA is set and any CA may issue. Check all DNS records including CAA with enterno.io's free DNS lookup tool, and validate the certificate itself with the SSL certificate checker.
Common mistakes
- CAA at the wrong level. The record is looked up from the exact name upward;
www.example.cominherits the CAA onexample.comif it has none of its own. - Forgetting issuewild. With only
issue, wildcards use it too; but once you setissuewild, it fully replacesissuefor wildcard certs. - Wrong CA identifier. The value must match the CA's identifier exactly (e.g.
letsencrypt.org, notLet's Encrypt).
Frequently Asked Questions
Is a CAA record required?
No, CAA is not mandatory, but it is strongly recommended. Without it, any public CA may issue a certificate for your domain. With CAA you explicitly limit the set of trusted authorities, reducing the risk of unauthorized issuance.
Does CAA slow down issuance?
Practically no. The CA performs one extra CAA DNS Lookup before issuing. That is a fraction of a second and does not affect how quickly you get a certificate via ACME or manual issuance.
What happens when I switch CAs?
Before moving to a new authority, add it to the issue tag (and issuewild if needed). Otherwise the new CA will be refused at the CAA check and cannot issue your certificate.
Do all DNS providers support CAA?
Most modern DNS hosts support the CAA type. If yours does not, move to a DNS provider that does — otherwise you cannot set an issuance policy at all.
How do I get violation alerts?
Add an iodef tag with a mailto: or https:// value. When issuance is attempted against your policy, a supporting CA sends a report to that address. iodef support depends on the specific authority.