What are the CAA record tags?

CAA records use three main tags: 'issue' authorizes a CA to issue regular certificates, 'issuewild' authorizes wildcard certificates, and 'iodef' specifies a contact email or URL for reporting unauthorized issuance attempts.

Why are CAA records important for security?

Without CAA records, any trusted Certificate Authority can issue certificates for your domain. CAA records let you control exactly which CAs are authorized, reducing the risk of accidental or malicious certificate issuance and improving your domain's security posture.

April 18, 2026 DNSai Security

What Is a CAA Record in DNS?

Q: What is a CAA record?

A CAA (Certification Authority Authorization) record is a DNS record that specifies which Certificate Authorities (CAs) are allowed to issue SSL/TLS certificates for your domain. It acts as an access control list that prevents unauthorized certificate issuance.

Q: How do I look up a CAA record?

You can look up CAA records using the dig command: 'dig CAA example.com'. This will return all configured CAA records for the domain. You can also use online tools like DNSai's DNS Lookup to check CAA records.

Controlling Which Certificate Authorities Can Issue for Your Domain

In the world of HTTPS and secure web browsing, SSL/TLS certificates play a crucial role in proving your domain's authenticity. But how do you stop just anyone from requesting a certificate for your site? That is where CAA records come in.

CAA stands for Certification Authority Authorization, and it is a DNS record that tells certificate authorities (CAs) whether they are allowed to issue certificates for your domain. Think of it as an access control list that lives right in your DNS settings.

Look Up CAA Records

Check CAA records for any domain using our free DNS lookup tool.

Look Up CAA Records →

Why CAA Records Matter

Without a CAA record, any trusted certificate authority can issue certificates for your domain. That may sound fine at first, but it opens the door to accidental or malicious issuance. A poorly configured CA could create a fake certificate for your site, putting your users at risk.

A CAA record lets you take control. You can specify exactly which CA is allowed to issue certificates and block everyone else.

What a CAA Record Looks Like

example.com. IN CAA 0 issue "letsencrypt.org"

This line means only Let's Encrypt is authorized to issue certificates for example.com.

You can also allow reporting if unauthorized issuance is attempted:

example.com. IN CAA 0 iodef "mailto:[email protected]"

CAA Record lookup showing certificate authority authorization

CAA records provide an essential security layer by restricting which Certificate Authorities can issue SSL/TLS certificates for your domain.

By specifying authorized CAs, you prevent unauthorized or accidental certificate issuance that could compromise your domain's security.

The iodef tag enables reporting, so you're notified if someone attempts to issue an unauthorized certificate.

Key Components

Flag (0 or 128): 0 is most common. 128 marks the record as critical.
Tag: Defines the purpose. Common ones are:
- issue: Authorizes a CA to issue normal certificates.
- issuewild: Authorizes wildcard certificates.
- iodef: Provides a contact email or URL for reports.
Value: The CA's domain or email/reporting address.

How to Check a CAA Record

Use the dig command like this:

dig CAA example.com

This will return all configured CAA records for the domain.

Best Practices

Always define at least one issue record, even if you use only one CA.
Use iodef to get alerts on any unauthorized attempts.
Add issuewild separately if you need wildcard certificates.
Test your configuration with your CA's validation tools.

Summary

CAA records give you direct control over who can issue SSL certificates for your domain. They reduce the risk of mis-issuance and increase your visibility into certificate activity. If you manage a domain that uses HTTPS, adding a CAA record is a smart move for security and compliance.