What is a CAA Record?
A CAA (Certification Authority Authorization) record is a type of DNS record that allows domain owners to specify which Certificate Authorities (CAs) are permitted to issue SSL/TLS certificates for their domain. Think of it as a whitelist for certificate issuance—if a CA isn't on your list, they must refuse to issue a certificate.
CAA records were initially defined in RFC 6844 (2013) and later updated by RFC 8659 (2019). Since September 8, 2017, all publicly trusted Certificate Authorities are required to check CAA records before issuing certificates, making this a powerful security mechanism.
Authorization
Explicitly authorize specific CAs to issue certificates for your domain
Protection
Prevent unauthorized CAs from issuing certificates for your domain
Compliance
Meet security audit requirements and industry best practices
Why CAA Records Matter
By default, any Certificate Authority can issue certificates for any domain. This means a malicious actor could potentially obtain a certificate for your domain from a CA you've never authorized. CAA records close this security gap by giving you explicit control over certificate issuance.
How CAA Records Work
When a Certificate Authority receives a request to issue a certificate for your domain, they must perform a CAA record lookup before proceeding. Here's the process:
CAA Lookup Process
DNS Query
The CA queries DNS for CAA records at the exact domain name (e.g., www.example.com).
Hierarchy Climbing
If no CAA records are found, the CA checks parent domains (example.com) up to the registered domain. This allows CAA records on a parent domain to apply to all subdomains.
Authorization Check
The CA checks if their identifier appears in the domain's CAA records. If authorized, issuance proceeds. If not authorized (or if records exist but don't include the CA), issuance is denied.
Default Behavior
If no CAA records exist anywhere in the domain hierarchy, any CA may issue certificates (the permissive default). This is why adding CAA records is important for security.
CNAME Following
When a domain has a CNAME record, CAs follow the CNAME chain and check CAA records at both the original domain and the CNAME target. This ensures proper authorization even when using CDNs or external services.
Verify Your CAA Configuration
Use our free CAA Record Lookup tool to check your domain's CAA records
CAA Record Lookup Tool
Starting at $9.99/year
- Instant DNS lookup
- Security analysis
- CA identification
- Best practice recommendations
CAA Record Syntax and Components
CAA records follow a specific format with three main components: flags, tag, and value. Understanding this syntax is essential for correctly configuring your CAA records.
Record Format
domain.com. IN CAA <flags> <tag> "<value>"Flags
An 8-bit integer controlling how CAs should handle the record:
0128Tags
The tag specifies the type of authorization:
issueAuthorize Certificate IssuanceSpecifies CAs authorized to issue non-wildcard certificates for this domain.
example.com. CAA 0 issue "letsencrypt.org"issuewildAuthorize Wildcard CertificatesSpecifies CAs authorized to issue wildcard certificates (*.domain.com). If absent, falls back to the issue tag for wildcard authorization.
example.com. CAA 0 issuewild "digicert.com"iodefIncident ReportingURL or email where CAs should report policy violations. Use mailto: for email or https: for webhook endpoints.
example.com. CAA 0 iodef "mailto:security@example.com"Common CAA Record Examples
Allow Only Let's Encrypt
example.com. CAA 0 issue "letsencrypt.org"Allow Multiple CAs
example.com. CAA 0 issue "letsencrypt.org"
example.com. CAA 0 issue "digicert.com"
example.com. CAA 0 issue "sectigo.com"Block All Certificate Issuance
example.com. CAA 0 issue ";"The semicolon (;) means no CA is authorized to issue certificates.
Complete Configuration with Reporting
example.com. CAA 0 issue "letsencrypt.org"
example.com. CAA 0 issuewild "letsencrypt.org"
example.com. CAA 0 iodef "mailto:ssl-alerts@example.com"Advanced CAA Features (RFC 8657)
RFC 8657 introduced additional parameters that provide more granular control over certificate issuance, particularly useful for organizations using automated certificate management with ACME (Automated Certificate Management Environment).
validationmethods Parameter
Restricts which domain validation methods a CA can use to verify domain control.
CAA 0 issue "letsencrypt.org; validationmethods=dns-01"This restricts Let's Encrypt to only use DNS-01 validation challenges.
accounturi Parameter
Restricts issuance to certificates requested by a specific ACME account.
CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/123456"Only the specified Let's Encrypt account can request certificates.
Security Best Practice
Combining accounturi with validationmethods provides maximum security. This ensures only your specific ACME account, using your preferred validation method, can obtain certificates—preventing both social engineering attacks and DNS hijacking scenarios.
Need SSL Certificates?
Get trusted SSL certificates from top Certificate Authorities
SSL Certificate
Starting at $9.99/year
- Domain Validation (DV)
- Organization Validation (OV)
- Extended Validation (EV)
- Wildcard Support
How to Add CAA Records
Adding CAA records varies by DNS provider. Here are step-by-step instructions for popular providers and general DNS panels:
Cloudflare
- Log in to your Cloudflare dashboard and select your domain
- Navigate to DNS → Records
- Click Add record
- Select CAA as the record type
- Set Name to
@(or subdomain) - Choose the Tag (issue, issuewild, or iodef)
- Enter the CA domain in the Value field
- Set Flags to 0 (or 128 for critical)
- Click Save
GoDaddy
- Sign in to your GoDaddy account
- Go to My Products → DNS for your domain
- Scroll to Records and click Add
- Select CAA from the Type dropdown
- Enter the Host (@ for root domain)
- Set Flags, Tag, and Value
- Click Save
Namecheap
- Log in to Namecheap and go to Domain List
- Click Manage next to your domain
- Navigate to Advanced DNS
- Under Host Records, click Add New Record
- Select CAA Record as the type
- Configure Host, Flag, Tag, and Value
- Click the checkmark to save
BIND Zone File (Advanced)
For administrators managing DNS directly with BIND, add CAA records to your zone file:
; CAA Records for example.com
@ IN CAA 0 issue "letsencrypt.org"
@ IN CAA 0 issuewild "letsencrypt.org"
@ IN CAA 0 iodef "mailto:security@example.com"After editing, increment the serial number and reload the zone.
How to Remove or Modify CAA Records
There are situations where you may need to update or remove CAA records:
When to Modify
- Switching to a new Certificate Authority
- Adding additional authorized CAs
- Updating iodef reporting endpoints
- Enabling wildcard certificate issuance
When to Remove
- CAA records blocking legitimate certificate issuance
- Transferring domain to new management
- Temporarily allowing any CA (not recommended)
Before Removing CAA Records
Before removing CAA records, consider that this removes a security control. It's generally better to add the required CA to your records rather than removing CAA protection entirely. Always verify propagation using a CAA lookup tool before requesting new certificates.
Check Your CAA Records
After configuring CAA records, it's essential to verify they're correctly published and propagated. Use our free CAA Record Lookup tool to instantly check your domain's CAA configuration.
CAA Record Lookup Tool
Instantly verify your CAA records, identify authorized CAs, and get security recommendations for your domain.
Common Issues and Troubleshooting
SERVFAIL Response
A SERVFAIL response indicates a DNS server error. This could mean DNSSEC validation failure or DNS server misconfiguration. CAs treat SERVFAIL as a failed CAA check and will not issue certificates.
Records Not Propagated
If newly added CAA records aren't showing up, wait for DNS propagation (usually 1-48 hours). You can use our lookup tool with "Force Refresh" enabled to bypass DNS caching and get the latest records.
Certificate Issuance Blocked
If a CA refuses to issue a certificate citing CAA, verify: (1) the CA's domain identifier is correctly spelled in your CAA record, (2) you're using the correct tag (issue vs issuewild), and (3) there are no conflicting records at parent domains.
CAA Record Best Practices
Do
- Add CAA records for all domains you own, even if not using SSL
- Include iodef records to receive violation reports
- Test CAA records before requesting certificates
- Document your authorized CAs for team reference
- Use accounturi for automated certificate issuance
Don't
- Forget issuewild if you need wildcard certificates
- Misspell CA domain identifiers (e.g., "letsencrpyt.org")
- Remove CAA records as a troubleshooting step
- Assume CAA records propagate instantly
- Use the critical flag (128) unless you understand the implications
Security Implications of CAA Records
Benefits of CAA Records
- Prevent Misissuance: Stop unauthorized CAs from issuing certificates for your domain
- Reduce Attack Surface: Limit certificate sources to CAs you trust and monitor
- Audit Trail: Receive notifications of issuance attempts via iodef
- Compliance: Meet security requirements for PCI-DSS, SOC 2, and other frameworks
Limitations to Understand
- Voluntary Compliance: CAA only works if CAs check and honor the records
- No Revocation: CAA cannot revoke certificates already issued
- DNS Security: CAA is only as secure as your DNS—consider DNSSEC
- Internal CAs: Private/internal CAs may not check CAA records
Related Resources
Sources & References
Official documentation and industry standards cited in this article
- RFC 8659 - DNS Certification Authority Authorization (CAA) Resource RecordIETF·RFC·Accessed January 2026
- RFC 6844 - DNS CAA (Original Specification)IETF·RFC·Accessed January 2026
- RFC 8657 - CAA Extensions for ACMEIETF·RFC·Accessed January 2026
- CA/Browser Forum Baseline Requirements - CAA CheckingCA/Browser Forum·Standard·Accessed January 2026
CAA Record Frequently Asked Questions
Common questions about Certificate Authority Authorization records and DNS security