How to Check and Set Up CAA Records

CAA (Certificate Authority Authorization) records let you control which certificate authorities are allowed to issue SSL/TLS certificates for your domain. Without them, any CA can issue a certificate, leaving your domain vulnerable to unauthorized issuance. CAA records are a simple but effective security layer that every domain owner should configure.

Step 1: Check Existing CAA Records

Start by querying your domain's current CAA records. Use the CAA Checker or run a DNS query from the command line:

dig example.com CAA +short
# or
nslookup -type=caa example.com

If no records are returned, your domain has no CA restrictions and any certificate authority can issue certificates for it.

Step 2: Identify Your Certificate Authority

Determine which CA issues your current certificates. Common CAs and their CAA identifiers include:

• Let's Encrypt: letsencrypt.org
• DigiCert: digicert.com
• Sectigo (Comodo): sectigo.com
• Google Trust Services: pki.goog

Step 3: Create Your CAA Records

Add CAA records in your DNS provider's control panel. A typical setup authorizes one CA for standard certificates and sets up incident reporting:

example.com.  IN  CAA  0 issue "letsencrypt.org"
example.com.  IN  CAA  0 issuewild "letsencrypt.org"
example.com.  IN  CAA  0 iodef "mailto:security@example.com"

• issue — Authorizes a CA to issue standard (non-wildcard) certificates.
• issuewild — Authorizes a CA to issue wildcard certificates.
• iodef — Specifies where violation reports should be sent.

Step 4: Test and Verify

After publishing your CAA records, verify them using the CAA Checker. Confirm that only your intended CA is listed. Then test by requesting a new certificate to make sure issuance still works. Also run the TXT Lookup tool to ensure no conflicting records exist.

Step 5: Maintain Your CAA Records

Whenever you switch certificate providers, update your CAA records before requesting certificates from the new CA. If you use multiple CAs (for example, one for your website and another for your mail server), add an issue record for each. Review CAA records quarterly as part of your DNS hygiene routine.

Frequently Asked Questions

What happens if I don't have a CAA record?

Without a CAA record, any certificate authority can issue an SSL/TLS certificate for your domain. This increases the risk of unauthorized certificate issuance through social engineering or CA compromise.

Can CAA records break my website?

CAA records only affect certificate issuance, not website traffic. However, if you specify the wrong CA and then try to renew or issue a certificate from a different CA, the issuance will be blocked until you update the CAA record.

Do CAA records affect email delivery?

CAA records do not directly affect email delivery. However, they protect the TLS certificates used to encrypt SMTP connections. If your mail server's certificate cannot be renewed due to a misconfigured CAA record, TLS-dependent connections may fail.

Related Guides

• How to Look Up and Manage TXT DNS Records
• How to Check Nameserver Records and DNS Delegation
• How to Set Up TLS for Email