SecurityStatus
Sign In Scan Your Domain
How It WorksFeaturesKnowledge BaseComparePricing
Sign In Get Started
low DNS

CAA Records

Certification Authority Authorization (CAA) records are DNS entries that specify which Certificate Authorities are permitted to issue SSL certificates for your domain. They act as an allowlist — any CA not listed is prohibited from issuing a certificate, even if they somehow validate domain ownership.

What SecurityStatus Checks

  • Whether CAA records exist for your domain
  • Which CAs are authorised in your CAA records
  • Whether wildcard issuance is separately restricted with issuewild entries
  • Whether an iodef address is configured for violation reports from CAs

Why This Matters

Without CAA records, any of the hundreds of trusted Certificate Authorities can issue a certificate for your domain. A compromised or rogue CA could issue a fraudulent cert. CAA records reduce this risk by limiting which CAs are allowed. All major CAs check CAA records before issuance.

How to Fix It

  1. 1

    Identify which CAs you use

    Check your current certificates at crt.sh or via your hosting panel. Note the issuing CA for each certificate (e.g., Let's Encrypt, DigiCert, Sectigo).

  2. 2

    Add CAA records to your DNS

    Add a CAA record for each permitted CA. Example for Let's Encrypt: `yourdomain.com CAA 0 issue "letsencrypt.org"`. For Google Trust Services: `CAA 0 issue "pki.goog"`. You can have multiple CAA records.

  3. 3

    Add wildcard restriction if needed

    If you use wildcard certs, add: `CAA 0 issuewild "letsencrypt.org"`. If you do not want wildcards issued at all, add: `CAA 0 issuewild ";"` (empty value prohibits all wildcard issuance).

  4. 4

    Add iodef for violation reports

    Add `CAA 0 iodef "mailto:security@yourdomain.com"` to receive reports if a CA is asked to issue a cert that would violate your CAA policy.

Frequently Asked Questions

Do CAA records affect existing certificates?
No. CAA records only affect new certificate issuance requests. Existing certificates remain valid until they expire.
What if I don't know which CA I use?
Search crt.sh for your domain to see all certificates and their issuing CAs. Your browser's padlock icon also shows the CA for the current certificate.
Can CAA records be bypassed?
CAs are required by their baseline requirements to check CAA records. Bypassing them would be a violation. CT logs would expose such a violation. It is not foolproof but adds a meaningful layer of defence.

Related Guides

high Certificate Transparency Read Guide critical SSL/TLS Certificate Read Guide high Subdomain SSL Coverage Read Guide

Check Your Domain Now

Run all 38 security checks including CAA Records and get your domain's security grade in under 2 minutes.

Scan Your Domain Free