Documentation

What is a CAA record and how to configure it

What is a CAA record?

A Certification Authority Authorization (CAA) record is a DNS record that specifies which Certificate Authorities (CAs) are permitted to issue SSL/TLS certificates for your domain.

Without a CAA record, any of the hundreds of trusted CAs in the world can issue a certificate for your domain — with or without your knowledge. If a CA is compromised, tricked via a social engineering attack, or issues a certificate in error, an attacker could use the resulting certificate to impersonate your domain with a fully trusted HTTPS connection.

CAA records give you direct control over this. If a CA checks your DNS and its name is not in your CAA record, it must refuse to issue a certificate.

What to do

Step 1 — Decide which CAs you use

Common Certificate Authorities:

CA CAA value
Let's Encrypt letsencrypt.org
DigiCert digicert.com
Sectigo / Comodo sectigo.com
GlobalSign globalsign.com
Amazon (ACM) amazon.com
Google Trust Services pki.goog

Step 2 — Add CAA records to DNS

CAA records use the following format:

yourdomain.com  CAA  0 issue "letsencrypt.org"
  • 0 — Flag. Always 0 for standard use.
  • issue — Authorises issuance of standard certificates.
  • issuewild — Authorises issuance of wildcard certificates (e.g. *.yourdomain.com). Must be specified separately if needed.
  • iodef — Optional. A URL or email to notify if a CA receives a disallowed issuance request.

Example: allow Let's Encrypt for standard certs, DigiCert for wildcards, and get notified on violations:

yourdomain.com  CAA  0 issue "letsencrypt.org"
yourdomain.com  CAA  0 issuewild "digicert.com"
yourdomain.com  CAA  0 iodef "mailto:security@yourdomain.com"

Step 3 — Verify

dig CAA yourdomain.com

ExposureIndex will monitor this and include the status it in reports.

What happens if you accidentally lock yourself out?

If you publish a CAA record that does not include your current CA, your certificate renewals will start failing. This is recoverable — simply update the CAA record to add the correct CA. DNS propagates within minutes to hours, and renewals can then proceed normally.

To be safe, always check your CAA record before an upcoming certificate renewal.

Last updated: March 28, 2026