Are CAA records required?

CAA records are not required, but they significantly improve security. Certificate Authorities must check CAA records before issuing certificates. If no CAA record exists, any CA can issue certificates for your domain.

What CAA tags are available?

The main CAA tags are: 'issue' (allows CA to issue certificates), 'issuewild' (allows wildcard certificates), and 'iodef' (specifies where to report policy violations). Most deployments use 'issue' and 'issuewild'.

How do I allow Let's Encrypt with CAA?

Add a CAA record with: example.com CAA 0 issue "letsencrypt.org". For wildcard certificates, add: example.com CAA 0 issuewild "letsencrypt.org". You can add multiple CAA records for multiple CAs.

CAA Record Security

Q: What is a CAA record?

A CAA (Certification Authority Authorization) record specifies which Certificate Authorities are permitted to issue SSL/TLS certificates for your domain. CAs are required to check CAA records before issuing certificates.

The CAA record (Certification Authority Authorization) specifies which certificate authorities (CAs) are allowed to issue SSL/TLS certificates for your domain. This prevents unauthorized CAs from issuing certificates, adding an extra layer of security against fraudulent certificates.

Look Up CAA Records

Check CAA records for any domain using our free DNS lookup tool.

Look Up CAA Records →

What Is a CAA Record?

Since 2017, certificate authorities are required to check CAA records before issuing certificates. If a CAA record exists, the CA can only issue a certificate if it's listed in the record. This protects against:

Unauthorized certificate issuance by CAs you don't use
Domain validation attacks
Certificate misissuance due to CA errors

CAA Record Format

A CAA record consists of three parts:

Component	Description	Example
Flags	0 = non-critical, 128 = critical	0
Tag	Property type (issue, issuewild, iodef)	issue
Value	CA domain or reporting email	letsencrypt.org

Example CAA Record

example.com.    3600    IN    CAA    0 issue "letsencrypt.org"

This record allows only Let's Encrypt to issue certificates for example.com.

CAA Tags

issue — Standard Certificates

Specifies CAs that can issue certificates for the domain:

example.com.    CAA    0 issue "digicert.com"
example.com.    CAA    0 issue "letsencrypt.org"

issuewild — Wildcard Certificates

Specifies CAs that can issue wildcard certificates (*.domain.com):

example.com.    CAA    0 issuewild "digicert.com"

If no issuewild record exists, the issue record applies to wildcards too.

iodef — Incident Reporting

Where to report CAA violations:

example.com.    CAA    0 iodef "mailto:[email protected]"
example.com.    CAA    0 iodef "https://example.com/caa-report"

Common CA Identifiers

Certificate Authority	CAA Value
Let's Encrypt	letsencrypt.org
DigiCert	digicert.com
Sectigo (Comodo)	sectigo.com
GlobalSign	globalsign.com
GoDaddy	godaddy.com
Amazon (AWS)	amazon.com
Google Trust Services	pki.goog
Cloudflare	digicert.com; comodoca.com; letsencrypt.org

Example CAA Configurations

1. Single CA (Let's Encrypt only)

example.com.    CAA    0 issue "letsencrypt.org"
example.com.    CAA    0 iodef "mailto:[email protected]"

2. Multiple CAs

example.com.    CAA    0 issue "digicert.com"
example.com.    CAA    0 issue "letsencrypt.org"
example.com.    CAA    0 issuewild "digicert.com"

3. Prevent All Certificate Issuance

example.com.    CAA    0 issue ";"

4. Wildcard Restriction

example.com.    CAA    0 issue "letsencrypt.org"
example.com.    CAA    0 issuewild ";"

This allows regular certificates but blocks wildcard certificates.

CAA Inheritance

CAA records are inherited by subdomains. If no CAA record exists for a subdomain, the parent domain's CAA record applies:

www.example.com checks for CAA at www.example.com
If not found, checks example.com
If not found, checks com (typically no CAA)
If no CAA found anywhere, any CA can issue

To set different policies for subdomains, create CAA records at the subdomain level.

CAA Best Practices

List only CAs you use — Don't authorize CAs you don't plan to use.
Set up iodef reporting — Get notified of unauthorized certificate requests.
Consider wildcard restrictions — Use issuewild to control wildcard certificate issuance separately.
Include all environments — Remember to authorize CAs for staging/dev certificates too.
Use low TTL when changing CAs — Before switching CAs, lower the TTL so the change propagates quickly.

Troubleshooting CAA

Common issues and solutions:

Certificate issuance failing — Check that your CA is listed in your CAA record.
Forgot to include a CA — Add another issue record for the missing CA.
Wildcard certificate failing — Check issuewild records (or ensure issue applies).
CAA lookup error — CAs retry on DNS errors, but ensure your DNS is reliable.

Check Your CAA Records

Use our DNS Record Finder to look up CAA records for any domain.