The measured data reveals several key findings: Domains with a CAA record have a pass value of 14%; CAA records that include iodef (incident email) have a pass value of 7%; CAA records with accounturi (CA account binding) show a pass value of 2%; Let's Encrypt in CAA has a pass value of 48%; and DigiCert in CAA has a pass value of 18%. Full tables are provided below on this page.
Below: key findings, platform breakdown, implications, methodology, FAQ.
Free online tool — DNS lookup tool: instant results, no signup.
| Metric | Pass / Value | Median | p75 |
|---|---|---|---|
| Domains with a CAA record | 14% | — | — |
| CAA with iodef (incident email) | 7% | — | — |
| CAA with accounturi (CA account binding) | 2% | — | — |
| Let's Encrypt in CAA | 48% | — | — |
| DigiCert in CAA | 18% | — | — |
| Sectigo in CAA | 14% | — | — |
| GlobalSign in CAA | 8% | — | — |
| Misconfigured CAA (blocks valid renewal) | 0.3% | — | — |
| Platform | Share | Detail | — |
|---|---|---|---|
| REG.RU DNS | 28% market | CAA support: Yes (UI since 2024) | — |
| Cloudflare DNS | 14% | CAA support: Yes (UI) | — |
| Timeweb DNS | 11% | CAA support: No UI (2026) | — |
| Beget DNS | 9% | CAA support: No UI | — |
| Yandex Cloud DNS | 7% | CAA support: Yes | — |
| Self-hosted BIND/PowerDNS | 4% | CAA support: Full | — |
Top-5000 .ru domains by SimilarWeb ranking. DNS CAA queries via 1.1.1.1 and 8.8.8.8 (March 2026). CAA parser extracted issue= and iodef=. Registrar identified via WHOIS.
CAA (Certification Authority Authorization) record adoption is currently at 14% among top domains, reflecting a growing awareness of security compliance and industry standards. Organizations are encouraged to implement CAA records to specify which Certificate Authorities are permitted to issue SSL/TLS certificates for their domains. This proactive measure mitigates risks associated with mis-issuance and enhances overall web security.
CAA records are a pivotal component in the domain name system (DNS) that help prevent unauthorized certificate issuance. By specifying which Certificate Authorities (CAs) are allowed to issue certificates for a domain, CAA records significantly reduce the risk of mis-issuance, a vulnerability that has led to numerous security breaches in the past. The adoption of CAA records has gained momentum, with a notable percentage of domains now implementing them, reflecting the growing emphasis on security in web infrastructure.
The implementation process for CAA records is straightforward. A domain owner adds a CAA record to their DNS settings, which can be done using various DNS management tools or command-line interfaces. The record structure is defined as follows:
example.com. IN CAA 0 issue "letsencrypt.org"This command indicates that only the Let's Encrypt CA is authorized to issue certificates for the domain example.com. The format of a CAA record includes:
issue, issuewild, and iodef.To further illustrate, if an organization wishes to authorize multiple CAs, they can add multiple CAA records:
example.com. IN CAA 0 issue "letsencrypt.org"
example.com. IN CAA 0 issue "digicert.com"This setup allows both Let's Encrypt and DigiCert to issue certificates for example.com. It is crucial to ensure that these records are correctly configured to avoid service interruptions or security vulnerabilities.
The rise of CAA record adoption is largely influenced by regulatory frameworks and industry standards. For instance, the CA/Browser Forum mandates CAA records for certain types of certificates, which has prompted compliance among domain owners. Current data indicates that 14% of domains have implemented CAA records, with a notable presence of Let's Encrypt, which accounts for 48% of CAA records. This trend reflects a growing awareness of security practices among domain owners.
In the U.S. and EU, regulatory bodies have emphasized the importance of web security, further pushing organizations to adopt CAA records as part of their security posture. Failure to implement these records can result in increased risks of certificate mis-issuance, leading to potential phishing attacks or unauthorized access to sensitive data.
As we move towards 2026, it is imperative for webmasters and IT professionals to not only implement CAA records but also to regularly audit their DNS settings to ensure compliance and security. Tools such as DNS Checker can be employed to verify the presence and correctness of CAA records.
In conclusion, CAA record adoption is an essential step in enhancing domain security. By understanding the implementation process and the significance of these records, organizations can better protect themselves against certificate-related vulnerabilities as we approach 2026.
DNS (Domain Name System) translates domain names into IP addresses. DNS records are instructions that define where to route traffic, email, and how to verify domainownership.
Query all record types — A, AAAA, MX, NS, TXT, CNAME, SOA — in a single request.
Direct queries to authoritative servers. Results in milliseconds, no caching.
SPF, DKIM, and DMARC analysis to evaluate email protection against spoofing and phishing.
Save check results. Compare DNS records before and after registrar changes.
DNS check after deploy
SPF/DKIM/DMARC audit
DNS config audit
DNS zone control
v=spf1 TXT record.DNS check history, API keys and DNS change monitoring.
Sign up freeNo, not required but recommended. Without CAA any CA can issue a cert for your domain (given successful domain validation).
In DNS zone: <code>example.com. IN CAA 0 issue "letsencrypt.org"</code>. Wildcard: <code>0 issuewild "letsencrypt.org"</code>.
Clear cache on CA accounts + add CAA for the new CA. Propagation is usually 1-24 hours.
<a href="/en/dns">Enterno DNS</a> → type CAA. Or <code>dig CAA example.com</code>.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.