What Are CAA Records? Certificate Authority Authorization Explained (2026)

What Is CAA?

CAA stands for Certificate Authority Authorization. Defined in RFC 8659 (which superseded the original RFC 6844), CAA is a DNS record type that allows domain owners to declare which certificate authorities (CAs) are permitted to issue certificates for their domain. Since September 2017, all publicly trusted CAs are required to check CAA records before issuing a certificate.

Without CAA records, any of the hundreds of publicly trusted CAs can issue a certificate for your domain. This means that if an attacker compromises a CA or tricks one into mis-issuing a certificate, they can obtain a valid certificate for your domain. CAA records reduce this attack surface by restricting issuance to only the CAs you explicitly authorize.

How CAA Records Work

When a certificate authority receives a request to issue a certificate for your domain, it performs a CAA lookup in DNS. The process works as follows:

1. The CA queries the CAA record for the exact domain name (e.g., www.example.com).
2. If no CAA record is found at that name, the CA walks up the DNS tree, checking example.com, then com, looking for a CAA record at each level.
3. If a CAA record is found and the CA is listed in an issue or issuewild property, the CA may proceed with issuance.
4. If a CAA record is found but the CA is not listed, the CA must refuse to issue the certificate and may notify the domain owner via the iodef contact.
5. If no CAA record is found at any level (including the TLD), the CA may issue the certificate — the absence of CAA records is treated as open authorization.

CAA Record Syntax

A CAA record has three fields: flags, tag, and value. The general format is:

example.com.  IN  CAA  <flags> <tag> "<value>"

The "issue" Tag

The issue tag authorizes a CA to issue standard (non-wildcard) certificates for the domain:

example.com.  IN  CAA  0 issue "letsencrypt.org"
example.com.  IN  CAA  0 issue "digicert.com"

This configuration allows only Let's Encrypt and DigiCert to issue certificates. All other CAs must refuse. You can list multiple issue records to authorize multiple CAs. To prevent all certificate issuance, use an empty issue tag:

example.com.  IN  CAA  0 issue ";"

The "issuewild" Tag

The issuewild tag specifically controls wildcard certificate issuance (certificates for *.example.com). If no issuewild record exists, the CA falls back to checking the issue tag for wildcard requests.

example.com.  IN  CAA  0 issue "letsencrypt.org"
example.com.  IN  CAA  0 issuewild ";"

This allows Let's Encrypt to issue standard certificates but prohibits all wildcard certificates. This is a useful security measure since wildcard certificates have a broader scope and represent a greater risk if compromised.

The "iodef" Tag

The iodef (Incident Object Description Exchange Format) tag specifies where CAs should send reports when a certificate request violates your CAA policy:

example.com.  IN  CAA  0 iodef "mailto:security@example.com"
example.com.  IN  CAA  0 iodef "https://example.com/caa-report"

While not all CAs support iodef reporting, setting it up provides an early warning system if someone attempts to obtain an unauthorized certificate for your domain.

The Flags Field

The flags field is a single unsigned integer. Currently, only one flag bit is defined:

• 0 (non-critical): The CA may proceed even if it does not understand the tag. This is the standard value for issue, issuewild, and iodef.
• 128 (critical): If the CA does not understand the tag, it must refuse to issue. This is used for future or custom tags to ensure CAs that do not support them fail closed.

Why CAA Records Matter for Security

CAA records are a defense-in-depth measure that addresses real-world certificate mis-issuance. Consider these scenarios:

• CA compromise. If a certificate authority is compromised (as happened with DigiNotar in 2011), attackers can only issue certificates for domains that authorize that CA in their CAA records.
• Social engineering. An attacker who tricks a CA into issuing a certificate via domain validation will be blocked if the target domain's CAA record does not list that CA.
• Internal policy enforcement. CAA records ensure that only your approved CAs can issue certificates, preventing departments or individuals from using unauthorized CAs.

CAA works alongside other certificate security mechanisms like Certificate Transparency (CT) logs, which provide post-issuance monitoring, and DANE TLSA records, which pin certificates in DNS. Together, these mechanisms create multiple layers of protection against certificate-based attacks.

Setting Up CAA Records

Here is a recommended CAA configuration for a domain using Let's Encrypt with violation reporting:

example.com.  IN  CAA  0 issue "letsencrypt.org"
example.com.  IN  CAA  0 issuewild "letsencrypt.org"
example.com.  IN  CAA  0 iodef "mailto:security@example.com"

To add CAA records, log into your DNS provider (Cloudflare, Route 53, Namecheap, etc.) and add CAA record types. Most modern DNS providers have dedicated CAA record support with form fields for the flags, tag, and value. After adding records, verify them using our CAA Checker.

Common CA Identifiers

Here are the CAA identifiers for the most popular certificate authorities:

• letsencrypt.org — Let's Encrypt
• digicert.com — DigiCert (includes GeoTrust, Thawte, RapidSSL)
• sectigo.com — Sectigo (formerly Comodo CA)
• globalsign.com — GlobalSign
• amazon.com — Amazon Trust Services (ACM)
• pki.goog — Google Trust Services
• comodoca.com — Comodo CA (legacy identifier)

How to Check Your CAA Records

Use our free tools to verify your CAA configuration:

• CAA Checker — View all CAA records for a domain, including issue, issuewild, and iodef tags.
• SSL Checker — Verify your current certificate and its issuing CA matches your CAA policy.
• DNS Lookup — Query any DNS record type including CAA for any domain.