A CAA (Certification Authority Authorization) record is a DNS record that specifies which certificate authorities are allowed to issue TLS certificates for your domain. It reduces the risk of an unauthorised or mis-issued certificate.
CAA records let you whitelist the certificate authorities permitted to issue certificates for your domain. Compliant CAs must check for a CAA record before issuing, adding a layer of defence against mis-issuance and certificate-based attacks.
Check your website
See how your site handles caa records: controlling who can issue your certificates — free, no account needed.
For business owners
A fraudulently issued certificate for your domain could let an attacker impersonate your site convincingly. CAA records are a low-effort control that instructs certificate authorities to refuse issuance unless you have explicitly authorised them — closing off a subtle but serious attack path.
How it works (technical)
A CAA record is a DNS resource record listing permitted CAs:
example.com. CAA 0 issue "letsencrypt.org"\nexample.com. CAA 0 issuewild "digicert.com"\nexample.com. CAA 0 iodef "mailto:security@example.com"
The issue tag authorises standard certificates, issuewild authorises wildcards, and iodef gives an address for violation reports. CAs are required by the CA/Browser Forum baseline requirements to honour CAA at issuance time. Set records at the domain apex; they apply to subdomains unless overridden.
Real-world example
An enterprise standardised on a single CA. By publishing a CAA record naming only that authority, an attempt to obtain a certificate from a different CA (through a compromised process) was automatically refused, and the security team received an iodef alert.
Why it matters
CAA records reduce the attack surface for certificate mis-issuance. Scanners note whether a CAA record is present as a certificate-hardening best practice.
How to fix it
Decide which certificate authority (or authorities) you use.
Add a
CAArecord at your domain apex with anissuetag for each authorised CA.Add
issuewildentries if you use wildcard certificates.Include an
iodefcontact so you are alerted to violations.Verify issuance still works before tightening further.
Best practices
Authorise only the CAs you actually use.
Keep CAA records in sync when you change certificate providers.
Add an iodef address to receive mis-issuance reports.
Common mistakes
Adding a CAA record that omits your real CA, breaking future renewals.
Forgetting
issuewildwhen you rely on wildcard certificates.Setting it once and never updating it after switching providers.
Frequently asked questions
Do CAA records affect existing certificates?
No. They are only checked at issuance and renewal time, so they do not revoke certificates already in use. They control future issuance.
Are CAA records required?
They are optional but recommended. When present, compliant CAs must honour them, adding meaningful protection against mis-issuance.
Put this into practice
See how your site scores with Plexa Trust — start with a free scan, then unlock the complete audit on Pro.
Scan your website free