What Is a CAA Record and Why Does It Matter for SSL?
CAA (Certificate Authority Authorization) is a type of DNS record that says which certificate authorities (CAs) are allowed to issue TLS certificates for your hostname. If you do not publish CAA, any publicly trusted CA can issue for your domain (subject to their own validation). With CAA, you reduce the risk of mistaken or fraudulent issuance at compliant CAs.
Key takeaways
- CAA is checked by CAs before issuance (for CAs that follow the baseline requirements).
- Common property tags:
issue(TLS certs),issuewild(wildcard),iodef(reporting contact for violations). - List only CAs you actually use (e.g. Let's Encrypt, your CDN, or a commercial CA).
- Our HTTPS report shows whether CAA is present and summarizes allowed issuers when visible in DNS.
How CAA works
You add CAA records at your DNS provider. Each record points to a CA domain name (e.g. letsencrypt.org) or uses ; to forbid issuance. Wildcard certificates are controlled separately with issuewild; if you only set issue, some CAs may still restrict wildcards per policy—always confirm with your CA's documentation.
Example (illustrative)
Your DNS UI might show a CAA record like: flag 0, tag issue, value "letsencrypt.org". Exact syntax depends on the provider; use their CAA helper or your CA's published hostname.
CAA and subdomains
CAA is inherited from parent labels unless overridden. Setting CAA only on example.com affects how issuers evaluate www.example.com in many cases, but edge cases exist—test after changes and before renewal day.
Check CAA on your domain
Run a free HTTPS check on HTTPS or Not; the report includes a CAA summary when DNS data is available.
Open HTTPS checker