codynet

Guides · DNS

What Is A CAA Record?

A CAA record tells the world's certificate authorities which of them are allowed to issue certificates for your domain. Cheap insurance against mis-issuance.

By Cody · 5 min read · Published

What CAA does

A CAA — Certification Authority Authorization — record names the certificate authorities that are allowed to issue certificates for a domain. It is a DNS record, published in the zone, defined in RFC 8659.

Before a CA issues a certificate, it is required by the CA/Browser Forum baseline requirements to look up CAA for the target domain. If a CAA exists and does not name that CA, issuance must fail.

CAA is a policy expressed in DNS, enforced by every public CA, audited by the WebPKI ecosystem. It costs you one DNS record.

What a CAA record looks like

The record has three parts: a flag, a tag, and a value.

example.com.   3600   IN   CAA   0   issue       "letsencrypt.org"
example.com.   3600   IN   CAA   0   issuewild   "letsencrypt.org"
example.com.   3600   IN   CAA   0   iodef       "mailto:security@example.com"
  • Flag — almost always 0. The non-zero “critical” flag exists but is rarely used in practice.
  • Tagissue, issuewild, or iodef.
  • Value — the CA's registered identifier (e.g. letsencrypt.org, digicert.com, sectigo.com, amazon.com) or a mailto: address for iodef.

issue vs issuewild — why the split matters

issue authorizes regular certificates. issuewild authorizes wildcard certificates, which are more dangerous because one compromised wildcard covers every subdomain.

If you only set issue and no issuewild, wildcards fall through to the issue rules. If you explicitly do not want wildcards, set:

example.com.   IN   CAA   0   issuewild   ";"

The semicolon value means “no CA may issue wildcards.” This is the right default for most domains.

Multiple CAs, account binding, and Let's Encrypt

Authorizing more than one CA is fine — just list them on multiple records. A typical setup with managed email + Let's Encrypt:

example.com.   IN   CAA   0   issue   "letsencrypt.org"
example.com.   IN   CAA   0   issue   "amazon.com"
example.com.   IN   CAA   0   issuewild  ";"
example.com.   IN   CAA   0   iodef   "mailto:security@example.com"

CAA also supports a ;accounturi= parameter, which scopes issuance to a specific Let's Encrypt account. That turns CAA from “Let's Encrypt may issue” into “only this specific Let's Encrypt account may issue.” Worth the extra paranoia for sensitive domains.

Verifying CAA

Use this site's DNS lookup with type CAA, or:

dig +short CAA example.com
0 issue "letsencrypt.org"
0 issuewild ";"
0 iodef "mailto:security@example.com"

If CAA is empty, every CA is allowed to issue — the WebPKI default. That is fine for many domains and dangerous for high-value ones.

When you do publish CAA, verify a real issuance succeeds afterward. The fastest way is to request a new short-lived certificate from your usual CA and confirm it succeeds. If issuance is now blocked, the record names the wrong CA.

Common production CAA set

Example input
example.com
Example result
example.com. 3600 IN CAA 0 issue       "letsencrypt.org"
example.com. 3600 IN CAA 0 issue       "amazon.com"
example.com. 3600 IN CAA 0 issuewild   ";"
example.com. 3600 IN CAA 0 iodef       "mailto:security@example.com"

This allows two CAs to issue regular certs, blocks any wildcard issuance, and emails security@ when something gets denied.

Related tools

DNS Lookup

Resolve CAA records and any other DNS record type.

Open tool

TLS Certificate Checker

Verify which CA actually issued your live certificate.

Open tool

FAQ

Do I need a CAA record?

Strictly no — certificates still issue without one. Practically yes — it is a tiny configuration change that meaningfully reduces the blast radius of a compromised account at a CA you do not use. Almost every domain owner should publish at least one CAA record.

Does CAA stop my existing certificates from working?

No. CAA only affects issuance of new certificates. Certificates that have already been issued continue to validate normally, regardless of what CAA says today.

Where do I publish the CAA record?

On the same name you want to protect, or any parent of it. CAAs publish at the zone level — a CAA at example.com applies to www.example.com unless the subdomain has its own CAA. Most teams set it at the apex and let inheritance cover everything below.

Which CAA tag do I need?

Three tags exist: issue (allow issuance of regular certs), issuewild (allow issuance of wildcard certs — separate from issue), and iodef (where to email reports of failed issuance). Most setups use issue (and issuewild if you use wildcards). iodef is optional but cheap to add.

What happens if I list the wrong CA?

Issuance from any CA you did not list will fail. The CA's validation API logs the failure and, if iodef is set, emails you. Recover by adding the correct CA to the record and waiting one CAA TTL for cache to clear.

Last reviewed: 2026-05-14.