Skip to main content

Fix Guides

How to Fix a Missing CAA Record

Restrict which certificate authorities may issue TLS certs for your domain.

Quick fix

To fix a missing CAA record, add DNS CAA records at your domain apex authorising only the CAs you use — e.g. 0 issue "letsencrypt.org" for Let's Encrypt. Include issuewild if you use wildcard certs. Re-scan after propagation; ensure you did not block your actual CA or renewals will fail.

CAA (Certification Authority Authorization) records tell certificate authorities which ones may issue TLS certificates for your domain. Adding them closes a mis-issuance attack path and is a certificate-hardening best practice flagged when absent.

Check your website

See how your site handles how to fix a missing caa record — free, no account needed.

Business impact

A fraudulently issued certificate for your domain could let an attacker impersonate your site convincingly. CAA is a low-effort control: you whitelist your real CA, and compliant authorities refuse unauthorised issuance attempts.

Why this happens

CAA is "missing" when no CAA records exist at the domain apex. Without CAA, any compliant CA may issue for your domain (subject to their own validation). With CAA, only listed CAs may issue — if you omit your actual CA, renewals fail. Add records for standard certs (issue) and wildcards (issuewild) separately; optional iodef sends violation reports to an email address.

How to confirm the issue

Manually: run dig yourdomain.com CAA or use an SSL Labs / CAA lookup tool. No CAA section means records are missing.

With Plexa Trust: certificate-hardening checks note absent CAA. After adding records, re-scan to confirm the finding clears.

Step-by-step fix

  1. Identify which CA issues your certificates (Let's Encrypt, DigiCert, Sectigo, Cloudflare, etc.).

  2. At your DNS apex, add a CAA record: flag 0, tag issue, value your CA domain in quotes.

  3. If you use wildcard certificates, add a separate issuewild record for the same CA.

  4. Optionally add iodef mailto:security@yourdomain.com for violation alerts.

  5. Verify with a CAA lookup tool before your next renewal window.

  6. Re-scan to confirm the finding is resolved.

Platform-specific fixes

Let's Encrypt

  1. Add: 0 issue "letsencrypt.org" at the apex.

  2. For wildcards: 0 issuewild "letsencrypt.org".

  3. Let's Encrypt checks CAA before every issuance and renewal.

Cloudflare (Universal SSL)

  1. Cloudflare may add CAA automatically when proxying — check DNS for existing CAA records.

  2. If managing manually: authorise digicert.com (Cloudflare's backing CA) or your custom CA.

  3. Do not block the CA Cloudflare uses for your edge certificates.

DigiCert / commercial CA

  1. Add: 0 issue "digicert.com" (or your CA's issue domain from their docs).

  2. Include issuewild if you purchase wildcard certs.

  3. Coordinate with your security team before restricting CAs on shared infrastructure.

Cloudflare DNS / Route 53 / registrars

  1. Record type CAA (not TXT). Name @ or apex.

  2. Format: flags tag value — e.g. 0 issue "letsencrypt.org".

  3. Multiple CAA records are allowed for different tags (issue vs issuewild vs iodef).

How to verify the fix

  • List every CA that legitimately issues for your domain — including staging and backup CAs.

  • Update CAA when you change certificate providers.

  • Add iodef to receive alerts if someone attempts unauthorised issuance.

  • Test renewal in staging before tightening CAA on production.

Common mistakes

  • Authorising the wrong CA name (typo breaks renewal).

  • Adding CAA that omits your real CA — certificates stop renewing.

  • Forgetting issuewild when you rely on wildcard certs.

  • Putting CAA on a subdomain when apex issuance is what you need to control.

Frequently asked questions

Are CAA records required?

No, but recommended. When present, compliant CAs must honour them — adding meaningful protection.

Do CAA records affect existing certificates?

No. They are checked only at new issuance and renewal time.

What CA name do I use for Let's Encrypt?

letsencrypt.org in the issue tag — check your CA's documentation for the exact string.

Can I allow multiple CAs?

Yes. Add separate CAA records with issue tags for each authorised CA.

What is issuewild?

Controls wildcard certificate issuance (*.example.com). Separate from the issue tag for standard certs.

What happens if CAA blocks my CA?

Renewal fails with a CAA error. Fix the record before the cert expires to avoid downtime.

Does CAA work with Cloudflare proxy?

CAA is checked at issuance. Cloudflare-managed certs need the backing CA authorised in CAA.

How do I confirm CAA is correct?

Use dig or an online CAA checker; schedule a test renewal if possible; re-scan with Plexa Trust.

Think you've fixed it?

Run a free scan to verify the issue is resolved. Upgrade to Pro on Plexa Trust for the full audit, monitoring alerts, and score history.

Verify with a free scan

Upgrade to Pro for monitoring