Skip to content

CAA record: Definition and Use Cases

TL;DR:

CAA (Certificate Authority Authorization) is a DNS record specifying which CAs may issue SSL certificates for a domain. Prevents mis-issuance. Since 2017, CAs are required to check CAA before issuance. Syntax: example.com. 300 IN CAA 0 issue "letsencrypt.org".

Check your domain's DNS →

What is CAA record

CAA (Certificate Authority Authorization) is a DNS record specifying which CAs may issue SSL certificates for a domain. Prevents mis-issuance. Since 2017, CAs are required to check CAA before issuance. Syntax: example.com. 300 IN CAA 0 issue "letsencrypt.org".

How to Create and Manage CAA Records

Creating and managing CAA records is a straightforward process that involves editing your domain's DNS settings. Below are the steps to set up a CAA record:

  1. Access Your DNS Management Console: Log in to your domain registrar or DNS hosting provider's control panel.
  2. Locate the DNS Settings: Find the section for DNS management or DNS records.
  3. Add a New Record: Choose to add a new record and select 'CAA' as the type.
  4. Specify the CAA Parameters: Input the parameters, which typically include:
  • Flags: Use '0' for non-critical flags or '128' for critical flags.
  • Tag: Use 'issue' to specify a CA that can issue certificates, or 'issuewild' for wildcard certificates.
  • Value: Specify the CA's domain name (e.g., letsencrypt.org).

For example, to allow only Let's Encrypt to issue certificates for your domain, you would create the following CAA record:

example.com. 300 IN CAA 0 issue "letsencrypt.org"

Repeat this process for each CA you wish to authorize. Remember that if you do not set a CAA record, any CA can issue certificates for your domain, potentially leading to security risks.

Understanding CAA Record Flags and Tags

CAA records consist of three main components: flags, tags, and values. Understanding these components is crucial for effectively managing SSL certificate issuance for your domain.

Flags

The flag determines the criticality of the CAA record:

  • 0: Non-critical – If a CA encounters a non-critical flag and does not recognize it, they may still proceed with certificate issuance.
  • 128: Critical – If a CA encounters a critical flag it does not recognize, it must reject the certificate request.

Tags

Tags specify the type of authorization you are granting:

  • issue: Indicates that a specific CA is authorized to issue certificates for the domain.
  • issuewild: Authorizes a CA to issue wildcard certificates for the domain.
  • iodef: Specifies a URL to which certificate mis-issuance reports should be sent.

For example, if you want to issue a wildcard certificate only through Let's Encrypt, your CAA record would look like this:

example.com. 300 IN CAA 0 issuewild "letsencrypt.org"

Understanding these flags and tags allows domain owners to fine-tune their security posture regarding SSL certificate issuance.

Common Misconfigurations and Troubleshooting CAA Records

When configuring CAA records, misconfigurations can lead to issues in SSL certificate issuance. Here are some common problems and troubleshooting tips:

1. Missing CAA Records

If you do not have any CAA records set up, any Certificate Authority can issue certificates for your domain. This can expose your domain to potential misuse. Ensure that you have at least one CAA record in place.

2. Incorrect Flags or Tags

Using the wrong flag can lead to unexpected behavior. For instance, setting a flag to '128' without specifying the correct CA may prevent all CAs from issuing certificates. Always verify that your flags align with your intended security policies.

3. Syntax Errors

DNS records are sensitive to syntax. Ensure that you use the correct format, including quotation marks around CA names. An example of a correctly formatted CAA record is:

example.com. 300 IN CAA 0 issue "letsencrypt.org"

4. Propagation Delays

After making changes to your CAA records, it may take some time for those changes to propagate across the internet. Be patient and verify the changes using DNS lookup tools.

5. Testing CAA Records

You can use command-line tools like dig to check your CAA records:

dig example.com CAA

By understanding these common pitfalls and how to troubleshoot them, you can ensure that your CAA records effectively protect your domain's SSL certificate issuance.

A / AAAAIPv4 and IPv6 host addresses
MX RecordsDomain mail servers
TXT / SPFVerification & anti-spoofing
NS / SOAName servers & zone authority

Why teams trust us

12
DNS record types
SPF+DKIM
email protection
<1s
DNS response
3
check regions

How it works

1

Enter domain

2

Select record type

3

Get DNS response

What are DNS Records?

DNS (Domain Name System) translates domain names into IP addresses. DNS records are instructions that define where to route traffic, email, and how to verify domainownership.

Complete Lookup

Query all record types — A, AAAA, MX, NS, TXT, CNAME, SOA — in a single request.

Instant Results

Direct queries to authoritative servers. Results in milliseconds, no caching.

Security Checks

SPF, DKIM, and DMARC analysis to evaluate email protection against spoofing and phishing.

Export & History

Save check results. Compare DNS records before and after registrar changes.

Who uses this

DevOps

DNS check after deploy

Email marketers

SPF/DKIM/DMARC audit

SEO

DNS config audit

Sysadmins

DNS zone control

Common Mistakes

Missing SPF recordWithout SPF, emails may land in spam. Add a v=spf1 TXT record.
Single NS serverIf the only NS fails, the domain becomes unreachable. Use at least 2 NS servers.
CNAME conflicting with other recordsCNAME cannot coexist with MX or TXT on the same name — this violates RFC.
TTL set too highWith 86400s TTL, DNS changes take a full day. Lower TTL to 300 before migrations.
Missing PTR recordMail servers check PTR. Without it, emails may be rejected.

Best Practices

Set up SPF + DKIM + DMARCThe trio of records that protects your email from spoofing and improves deliverability.
Use 2+ NS serversDistribute NS servers across different networks for redundancy.
Lower TTL before migrationSet TTL to 300 at least 24-48 hours before an IP change for fast propagation.
Verify DNS after changesAfter updating records, confirm changes propagated correctly and no errors remain.
Add a CAA recordCAA restricts which Certificate Authorities can issue SSL certificates for your domain.

Get more with a free account

DNS check history, API keys and DNS change monitoring.

Sign up free

Learn more

Frequently Asked Questions

Do I need CAA record?

If you work with web infrastructure — yes. See description above.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.