CAA Records Explained: Control Who Issues Your SSL Certificates
By Nathan Cole, Security Researcher · Updated 2026-06-02Part of our guide to DNS Records Explained: A Complete Guide to Every Record Type.
A CAA record, short for Certification Authority Authorization, is a DNS record that tells the world which certificate authorities (CAs) are allowed to issue SSL/TLS certificates for your domain. Publish a single CAA record and you turn an open-ended permission ("any CA may issue a cert for us") into an explicit allowlist ("only these CAs may"). Defined in RFC 8659, it is one of the simplest and highest-leverage security controls available through DNS.
CAA records are part of the broader DNS toolkit covered in our pillar guide, DNS records explained. If you have worked with TXT records explained for SPF or DMARC, the mental model is similar: you publish a policy in DNS, and other systems are expected to read and honor it. The difference is that CAA speaks directly to certificate authorities rather than to mail servers.
The Security Problem CAA Solves
Without a CAA record, every publicly trusted certificate authority in the world is technically allowed to issue a certificate for your domain. That is a large trust surface. Trick any one of those CAs (through social engineering, a compromised validation path, or a misconfigured account) and an attacker can obtain a valid certificate for your domain, then impersonate your site with a padlock in the browser.
CAA shrinks that trust surface. By naming only the CAs you actually use, you instruct every other CA to refuse issuance. A request to an unauthorized CA fails the moment it checks your DNS, before any certificate is ever signed.
CAA Record Syntax and Tags
A CAA record has three parts: a flags value (almost always 0), a tag, and a value string in quotes. There are three tags you need to know.
| Tag | Controls | Example value |
|---|---|---|
issue |
Which CAs may issue standard (single-name) certificates | 0 issue "letsencrypt.org" |
issuewild |
Which CAs may issue wildcard certificates (e.g. for *.example.com) |
0 issuewild "digicert.com" |
iodef |
Where a CA should report a violation or rejected request | 0 iodef "mailto:[email protected]" |
A typical domain publishes something like this at its root:
example.com. CAA 0 issue "letsencrypt.org"
example.com. CAA 0 issuewild "letsencrypt.org"
example.com. CAA 0 iodef "mailto:[email protected]"
To explicitly forbid all issuance, publish 0 issue ";", an empty value that authorizes no CA at all. If you set issue but omit issuewild, wildcard issuance falls back to the issue policy.
How CAs Are Required to Honor CAA
CAA enforcement is not optional for the CA. Under the CA/Browser Forum Baseline Requirements, every publicly trusted certificate authority must check for a CAA record and refuse to issue if its own identifier is not authorized. This is what makes the record effective: you are not relying on goodwill, but on a binding industry rule that all trusted CAs agree to follow.
The iodef tag complements this by giving CAs a contact for reporting. When a CA rejects a request because it is not authorized, it can send an incident report to the address you specify, giving you early warning of a possible mis-issuance attempt.
Subdomain Fallback and Existing Certificates
CAA checking walks up the DNS tree. When a CA validates a request for shop.example.com, it first looks for a CAA record on that exact name. If none exists, it falls back to the parent, example.com, and continues upward until it finds a record or reaches the root. A single CAA record at your apex domain therefore protects every subdomain that does not define its own policy, and you can still override that policy for a specific subdomain when needed.
One important limitation applies: CAA only affects new issuance. The check happens at the moment a certificate is requested, so adding or tightening a CAA record does not revoke or invalidate certificates that have already been issued. Existing certificates remain valid until they expire.
Bridging DNS and SSL/TLS Security
CAA is one of the few records that sits at the boundary between DNS configuration and certificate security: your DNS policy directly governs your TLS trust. That also makes it easy to misconfigure in a way you do not notice until a renewal silently fails. The DomainIntel tool reports your CAA records alongside your live SSL certificate details, so you can confirm that the CA actually issuing your certificate is the same one your CAA policy authorizes.
Check Your Domain
Want to see which CAs your domain authorizes and how that lines up with your current certificate? Run a free check at domainintel.app and review your CAA records and SSL/TLS details side by side.
Frequently asked questions
What is a CAA record?
A CAA (Certification Authority Authorization) record is a DNS record that lists which certificate authorities are permitted to issue SSL/TLS certificates for your domain.
Are CAA records required?
No, CAA records are not required. However, certificate authorities are required by the CA/Browser Forum to check for and honor them before issuing a certificate, so adding one is a recommended security best practice.
What happens if I have no CAA record?
If your domain has no CAA record, there is no restriction: any publicly trusted certificate authority may issue a certificate for your domain.