Skip to content
Pricing RU Sign In
RU

CAA record: Definition and Use Cases

By · Updated
TL;DR:

CAA (Certificate Authority Authorization) is a DNS record specifying which CAs may issue SSL certificates for a domain. Prevents mis-issuance. Since 2017, CAs are required to check CAA before issuance. Syntax: example.com. 300 IN CAA 0 issue "letsencrypt.org".

Try it now — free →

What is CAA record

CAA (Certificate Authority Authorization) is a DNS record specifying which CAs may issue SSL certificates for a domain. Prevents mis-issuance. Since 2017, CAs are required to check CAA before issuance. Syntax: example.com. 300 IN CAA 0 issue "letsencrypt.org".

Related guides

A / AAAAIPv4 and IPv6 host addresses
MX RecordsDomain mail servers
TXT / SPFVerification & anti-spoofing
NS / SOAName servers & zone authority

Why teams trust us

12
DNS record types
SPF+DKIM
email protection
<1s
DNS response
3
check regions

How it works

1

Enter domain

2

Select record type

3

Get DNS response

What are DNS Records?

DNS (Domain Name System) translates domain names into IP addresses. DNS records are instructions that define where to route traffic, email, and how to verify domainownership.

Complete Lookup

Query all record types — A, AAAA, MX, NS, TXT, CNAME, SOA — in a single request.

Instant Results

Direct queries to authoritative servers. Results in milliseconds, no caching.

Security Checks

SPF, DKIM, and DMARC analysis to evaluate email protection against spoofing and phishing.

Export & History

Save check results. Compare DNS records before and after registrar changes.

Who uses this

DevOps

DNS check after deploy

Email marketers

SPF/DKIM/DMARC audit

SEO

DNS config audit

Sysadmins

DNS zone control

Common Mistakes

Missing SPF recordWithout SPF, emails may land in spam. Add a v=spf1 TXT record.
Single NS serverIf the only NS fails, the domain becomes unreachable. Use at least 2 NS servers.
CNAME conflicting with other recordsCNAME cannot coexist with MX or TXT on the same name — this violates RFC.
TTL set too highWith 86400s TTL, DNS changes take a full day. Lower TTL to 300 before migrations.
Missing PTR recordMail servers check PTR. Without it, emails may be rejected.

Best Practices

Set up SPF + DKIM + DMARCThe trio of records that protects your email from spoofing and improves deliverability.
Use 2+ NS serversDistribute NS servers across different networks for redundancy.
Lower TTL before migrationSet TTL to 300 at least 24-48 hours before an IP change for fast propagation.
Verify DNS after changesAfter updating records, confirm changes propagated correctly and no errors remain.
Add a CAA recordCAA restricts which Certificate Authorities can issue SSL certificates for your domain.

Get more with a free account

DNS check history, API keys and DNS change monitoring.

Sign up free

Related tools

SSL CheckWHOISPing & PortsSecurity Check

Learn more

How-to

Glossary

Research

Alternatives

Frequently Asked Questions

Do I need CAA record?

If you work with web infrastructure — yes. See description above.

Start monitoring for free

Sign up and get access to API, monitoring and notifications

Create Account API Documentation