CAA Records 2026: Adoption Benchmark
CAA (Certificate Authority Authorization, RFC 6844) is a DNS record specifying which CAs may issue certs for your domain. Enterno.io checked top-5k .ru domains (March 2026): only **14%** use CAA (vs 32% in global top-1M). Reason: most RU registrars lack CAA editing UI. CA leaders inside CAA records: Let's Encrypt 48%, DigiCert 18%, Sectigo 14%.
Below: key findings, platform breakdown, implications, methodology, FAQ.
Key Findings
| Metric | Pass / Value | Median | p75 |
|---|---|---|---|
| Domains with a CAA record | 14% | — | — |
| CAA with iodef (incident email) | 7% | — | — |
| CAA with accounturi (CA account binding) | 2% | — | — |
| Let's Encrypt in CAA | 48% | — | — |
| DigiCert in CAA | 18% | — | — |
| Sectigo in CAA | 14% | — | — |
| GlobalSign in CAA | 8% | — | — |
| Misconfigured CAA (blocks valid renewal) | 0.3% | — | — |
Breakdown by Platform
| Platform | Share | Detail | — |
|---|---|---|---|
| REG.RU DNS | 28% market | CAA support: Yes (UI since 2024) | — |
| Cloudflare DNS | 14% | CAA support: Yes (UI) | — |
| Timeweb DNS | 11% | CAA support: No UI (2026) | — |
| Beget DNS | 9% | CAA support: No UI | — |
| Yandex Cloud DNS | 7% | CAA support: Yes | — |
| Self-hosted BIND/PowerDNS | 4% | CAA support: Full | — |
Why It Matters
- CAA protects against mis-issuance: if an attacker compromises DNS without CAA, they can get a cert from any CA
- Chrome/Firefox don't check CAA (that's the CA's job at issuance), so CAA doesn't break existing clients
- Let's Encrypt checks CAA on every renewal — a bad record can break auto-renew
- iodef= email lets the CA notify the owner about mis-issuance attempts
- CAA doesn't replace DNSSEC — they are complementary (DNSSEC protects the DNS answer, CAA sets policy for CAs)
Methodology
Top-5000 .ru domains by SimilarWeb ranking. DNS CAA queries via 1.1.1.1 and 8.8.8.8 (March 2026). CAA parser extracted issue= and iodef=. Registrar identified via WHOIS.
Why teams trust us
How it works
Enter domain
Select record type
Get DNS response
What are DNS Records?
DNS (Domain Name System) translates domain names into IP addresses. DNS records are instructions that define where to route traffic, email, and how to verify domainownership.
Complete Lookup
Query all record types — A, AAAA, MX, NS, TXT, CNAME, SOA — in a single request.
Instant Results
Direct queries to authoritative servers. Results in milliseconds, no caching.
Security Checks
SPF, DKIM, and DMARC analysis to evaluate email protection against spoofing and phishing.
Export & History
Save check results. Compare DNS records before and after registrar changes.
Who uses this
DevOps
DNS check after deploy
Email marketers
SPF/DKIM/DMARC audit
SEO
DNS config audit
Sysadmins
DNS zone control
Common Mistakes
v=spf1 TXT record.Best Practices
Get more with a free account
DNS check history, API keys and DNS change monitoring.
Sign up freeLearn more
How-to
Frequently Asked Questions
Is CAA required?
No, not required but recommended. Without CAA any CA can issue a cert for your domain (given successful domain validation).
How do I add a CAA record?
In DNS zone: <code>example.com. IN CAA 0 issue "letsencrypt.org"</code>. Wildcard: <code>0 issuewild "letsencrypt.org"</code>.
What if CAA blocks a legitimate CA?
Clear cache on CA accounts + add CAA for the new CA. Propagation is usually 1-24 hours.
How to check my CAA?
<a href="/en/dns">Enterno DNS</a> → type CAA. Or <code>dig CAA example.com</code>.