Skip to content

CAA Records 2026: Adoption Benchmark

Key idea:

The measured data reveals several key findings: Domains with a CAA record have a pass value of 14%; CAA records that include iodef (incident email) have a pass value of 7%; CAA records with accounturi (CA account binding) show a pass value of 2%; Let's Encrypt in CAA has a pass value of 48%; and DigiCert in CAA has a pass value of 18%. Full tables are provided below on this page.

Below: key findings, platform breakdown, implications, methodology, FAQ.

Check your domain's DNS →

Key Findings

MetricPass / ValueMedianp75
Domains with a CAA record14%
CAA with iodef (incident email)7%
CAA with accounturi (CA account binding)2%
Let's Encrypt in CAA48%
DigiCert in CAA18%
Sectigo in CAA14%
GlobalSign in CAA8%
Misconfigured CAA (blocks valid renewal)0.3%

Breakdown by Platform

PlatformShareDetail
REG.RU DNS28% marketCAA support: Yes (UI since 2024)
Cloudflare DNS14%CAA support: Yes (UI)
Timeweb DNS11%CAA support: No UI (2026)
Beget DNS9%CAA support: No UI
Yandex Cloud DNS7%CAA support: Yes
Self-hosted BIND/PowerDNS4%CAA support: Full

Why It Matters

  • CAA protects against mis-issuance: if an attacker compromises DNS without CAA, they can get a cert from any CA
  • Chrome/Firefox don't check CAA (that's the CA's job at issuance), so CAA doesn't break existing clients
  • Let's Encrypt checks CAA on every renewal — a bad record can break auto-renew
  • iodef= email lets the CA notify the owner about mis-issuance attempts
  • CAA doesn't replace DNSSEC — they are complementary (DNSSEC protects the DNS answer, CAA sets policy for CAs)

Methodology

Top-5000 .ru domains by SimilarWeb ranking. DNS CAA queries via 1.1.1.1 and 8.8.8.8 (March 2026). CAA parser extracted issue= and iodef=. Registrar identified via WHOIS.

TL;DR: CAA Record Adoption 2026

CAA (Certification Authority Authorization) record adoption is currently at 14% among top domains, reflecting a growing awareness of security compliance and industry standards. Organizations are encouraged to implement CAA records to specify which Certificate Authorities are permitted to issue SSL/TLS certificates for their domains. This proactive measure mitigates risks associated with mis-issuance and enhances overall web security.

Understanding CAA Records: Importance and Implementation

CAA records are a pivotal component in the domain name system (DNS) that help prevent unauthorized certificate issuance. By specifying which Certificate Authorities (CAs) are allowed to issue certificates for a domain, CAA records significantly reduce the risk of mis-issuance, a vulnerability that has led to numerous security breaches in the past. The adoption of CAA records has gained momentum, with a notable percentage of domains now implementing them, reflecting the growing emphasis on security in web infrastructure.

The implementation process for CAA records is straightforward. A domain owner adds a CAA record to their DNS settings, which can be done using various DNS management tools or command-line interfaces. The record structure is defined as follows:

example.com. IN CAA 0 issue "letsencrypt.org"

This command indicates that only the Let's Encrypt CA is authorized to issue certificates for the domain example.com. The format of a CAA record includes:

  • Flags: A single digit that indicates the criticality of the record. For instance, '0' means non-critical, while '128' signifies that the record is critical.
  • Tag: This specifies the type of authorization. Common tags include issue, issuewild, and iodef.
  • Value: The domain name of the CA that is allowed to issue certificates.

To further illustrate, if an organization wishes to authorize multiple CAs, they can add multiple CAA records:

example.com. IN CAA 0 issue "letsencrypt.org"
example.com. IN CAA 0 issue "digicert.com"

This setup allows both Let's Encrypt and DigiCert to issue certificates for example.com. It is crucial to ensure that these records are correctly configured to avoid service interruptions or security vulnerabilities.

The rise of CAA record adoption is largely influenced by regulatory frameworks and industry standards. For instance, the CA/Browser Forum mandates CAA records for certain types of certificates, which has prompted compliance among domain owners. Current data indicates that 14% of domains have implemented CAA records, with a notable presence of Let's Encrypt, which accounts for 48% of CAA records. This trend reflects a growing awareness of security practices among domain owners.

In the U.S. and EU, regulatory bodies have emphasized the importance of web security, further pushing organizations to adopt CAA records as part of their security posture. Failure to implement these records can result in increased risks of certificate mis-issuance, leading to potential phishing attacks or unauthorized access to sensitive data.

As we move towards 2026, it is imperative for webmasters and IT professionals to not only implement CAA records but also to regularly audit their DNS settings to ensure compliance and security. Tools such as DNS Checker can be employed to verify the presence and correctness of CAA records.

In conclusion, CAA record adoption is an essential step in enhancing domain security. By understanding the implementation process and the significance of these records, organizations can better protect themselves against certificate-related vulnerabilities as we approach 2026.

A / AAAAIPv4 and IPv6 host addresses
MX RecordsDomain mail servers
TXT / SPFVerification & anti-spoofing
NS / SOAName servers & zone authority

Why teams trust us

12
DNS record types
SPF+DKIM
email protection
<1s
DNS response
3
check regions

How it works

1

Enter domain

2

Select record type

3

Get DNS response

What are DNS Records?

DNS (Domain Name System) translates domain names into IP addresses. DNS records are instructions that define where to route traffic, email, and how to verify domainownership.

Complete Lookup

Query all record types — A, AAAA, MX, NS, TXT, CNAME, SOA — in a single request.

Instant Results

Direct queries to authoritative servers. Results in milliseconds, no caching.

Security Checks

SPF, DKIM, and DMARC analysis to evaluate email protection against spoofing and phishing.

Export & History

Save check results. Compare DNS records before and after registrar changes.

Who uses this

DevOps

DNS check after deploy

Email marketers

SPF/DKIM/DMARC audit

SEO

DNS config audit

Sysadmins

DNS zone control

Common Mistakes

Missing SPF recordWithout SPF, emails may land in spam. Add a v=spf1 TXT record.
Single NS serverIf the only NS fails, the domain becomes unreachable. Use at least 2 NS servers.
CNAME conflicting with other recordsCNAME cannot coexist with MX or TXT on the same name — this violates RFC.
TTL set too highWith 86400s TTL, DNS changes take a full day. Lower TTL to 300 before migrations.
Missing PTR recordMail servers check PTR. Without it, emails may be rejected.

Best Practices

Set up SPF + DKIM + DMARCThe trio of records that protects your email from spoofing and improves deliverability.
Use 2+ NS serversDistribute NS servers across different networks for redundancy.
Lower TTL before migrationSet TTL to 300 at least 24-48 hours before an IP change for fast propagation.
Verify DNS after changesAfter updating records, confirm changes propagated correctly and no errors remain.
Add a CAA recordCAA restricts which Certificate Authorities can issue SSL certificates for your domain.

Get more with a free account

DNS check history, API keys and DNS change monitoring.

Sign up free

Learn more

Frequently Asked Questions

Is CAA required?

No, not required but recommended. Without CAA any CA can issue a cert for your domain (given successful domain validation).

How do I add a CAA record?

In DNS zone: <code>example.com. IN CAA 0 issue "letsencrypt.org"</code>. Wildcard: <code>0 issuewild "letsencrypt.org"</code>.

What if CAA blocks a legitimate CA?

Clear cache on CA accounts + add CAA for the new CA. Propagation is usually 1-24 hours.

How to check my CAA?

<a href="/en/dns">Enterno DNS</a> → type CAA. Or <code>dig CAA example.com</code>.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.