What Is a CAA Record (Certificate Authority Authorization)?

How CAA Records Work

When a Certificate Authority receives a request to issue an SSL certificate for your domain, it first checks your DNS for a CAA record. If a CAA record exists and the CA is not listed as an authorized issuer, the CA must refuse to issue the certificate.

A CAA record has three components: a flag (usually 0), a tag (such as issue, issuewild, or iodef), and a value identifying the CA domain. For example: 0 issue "letsencrypt.org"

Why CAA Records Matter

Without a CAA record, any Certificate Authority in the world can issue a certificate for your domain. This creates risk: a compromised or rogue CA could issue a fraudulent certificate, enabling man-in-the-middle attacks. CAA records reduce this attack surface by limiting issuance to CAs you explicitly trust.

CAA Record Tags

The issue tag authorizes a CA to issue standard certificates. issuewild controls wildcard certificate issuance separately. The iodef tag specifies an email address or URL where the CA should report policy violations.

Frequently Asked Questions

What happens if no CAA record exists?

If no CAA record exists for a domain, any Certificate Authority is permitted to issue certificates for it. Adding a CAA record restricts issuance to only the CAs you explicitly authorize.

Are CAA records mandatory?

Domain owners are not required to publish CAA records, but since September 2017 all public CAs must check for them before issuing. Without a record, any CA can issue certificates for your domain.

Can CAA records prevent all unauthorized certificate issuance?

CAA only prevents compliant CAs from issuing unauthorized certificates. A compromised CA could ignore CAA. For stronger protection, combine CAA with Certificate Transparency (CT) log monitoring and DNSSEC to protect against DNS spoofing.