CAA Record Checker & Generator
Check your domain's Certificate Authority Authorization records or generate new ones to control which CAs can issue certificates.
What are CAA Records?
CAA (Certificate Authority Authorization) is a DNS record type that allows domain owners to specify which certificate authorities (CAs) are permitted to issue SSL/TLS certificates for their domain. This helps prevent unauthorized certificate issuance.
CAA Record Tags
- issue — Specifies a CA authorized to issue certificates for the domain.
- issuewild — Specifies a CA authorized to issue wildcard certificates. Use
issuewild ";"to deny all wildcard certs. - iodef — Specifies a URL or email address for CAs to report policy violations.
Example CAA Records
example.com. CAA 0 issue "letsencrypt.org" example.com. CAA 0 issuewild ";" example.com. CAA 0 iodef "mailto:[email protected]"
Why CAA Matters
Without CAA records, any trusted CA can issue a certificate for your domain. While CAs are required to check CAA records before issuing certificates (per CA/Browser Forum rules), the absence of CAA records means no restrictions are in place. Adding CAA records is a simple but effective security measure.
CAA and Certificate Transparency
CAA works alongside Certificate Transparency (CT) logs. CAA prevents unauthorized issuance proactively, while CT logs help detect any certificates that were issued despite CAA restrictions.