Check Your CAA Record Instantly

Prevent unauthorized SSL/TLS certificate issuance and secure your domain with our fast and accurate CAA Checker.

Real-time CAA Checker
Please enter a valid domain name, without http:// prefix

What is a CAA Record?

A CAA (Certification Authority Authorization) record is a type of DNS record that tells which Certificate Authorities (CAs) are allowed to issue SSL/TLS certificates for a domain. CAA resource records help domain owners establish policies that permit specific CAs to issue TLS/SSL certificates for associated domains. As a domain owner, you can use CAA records to establish and maintain the security policies for both an entire domain and a specific hostname. You can view this as an umbrella policy for the policy subdomains, except when you establish a separate CAA Record for a specific subdomain.

How is a CAA Record Structured?

A CAA record consists of three key components:

Flag

A number (0 or 128) that defines whether the policy is critical.

Accelerated Incident Response

Tag

Specifies the type of policy (issue, issuewild, or iodef).

Value

The authorized CA or reporting email/URL.

Here are a few examples of what CAA records look like in practice:

CAA Record SyntaxWhat It Means
example.com. IN CAA 0 issue “letsencrypt.org”Only Let’s Encrypt can issue SSL/TLS certificates for example.com.
example.com. IN CAA 0 issuewild “digicert.com”This allows only DigiCert to issue wildcard certificates for example.com.
example.com. IN CAA 0 iodef “mailto:[email protected]This tells CAs to send alerts if an unauthorized certificate request is detected.

How Do CAA Records Work?

  • When you order a TLS/SSL certificate for a specific hostname, the CA refers to your DNS for CAA records for that subdomain. 
  • In case the CA finds a record for the specific hostname, the DNS query will stop, and that policy will be applied to the certificate order. 
  • If the CA doesn’t find a record for that specific hostname, the search for CAA records will continue at the parent domain. 
  • Then, if the CA finds a record for the entire domain, the parent domain’s policy will be applied to the certificate order for the specific hostname.
step one

A company requests an SSL/TLS certificate.

step two

The Certificate Authority checks the DNS for a CAA record.

step three

If a record exists, the CA verifies if they’re authorized.

– If no record exists, they proceed with the request.

step four

If unauthorized, the CA denies the request or sends an IODEF alert.

Why Use a CAA Checker?

A CAA (Certification Authority Authorization) checker helps you manage and verify which Certificate Authorities (CAs) are authorized to issue SSL/TLS certificates for your domain. Key benefits include:

  • Real-time CAA Record Lookup and Validation

    Instantly queries your DNS servers to retrieve up-to-date CAA records for accurate validation.

  • Prevent Unauthorized Certificate Issuance

    Stops hackers and unapproved CAs from issuing fraudulent SSL/TLS certificates, ensuring only legitimate ones are issued.

  • Ensure Compliance with Security Best Practices

    Validate CAA records against CA/Browser Forum Baseline Requirements to maintain regulatory compliance.

  • Strengthen Domain Security

    Reinforces your Public Key Infrastructure (PKI) by allowing only trusted CAs to issue certificates.

  • Identify Misconfigurations

    Detect missing or incorrect CAA records that could lead to security vulnerabilities.

  • Troubleshoot Issues Quickly

    Get detailed insights into tag values and CA permissions for efficient issue resolution.

  • Better SSL Certificate Management

    Enables regular monitoring and updating of CAA records for better control over SSL/TLS certificate issuance.

  • Easy-to-Use Interface with Instant Results

    Designed for both technical and non-technical users with no prior knowledge required.

Regularly using a CAA checker helps maintain a secure and compliant domain environment while preventing unauthorized certificate use.

How Our CAA Checker Works

PowerDMARC’s Certification Authority Authorization Checker is a powerful tool designed to enhance your domain’s security by verifying your CAA records. This verification process ensures that only authorized CAs can issue certificates for your domain.

Step 1: Sign up with PowerDMARC for free

Signing up with PowerDMARC provides a range of email authentication and DNS management tools at your disposal!

Step 2: Go to Analysis Tools > Lookup Tools > CAA Checker 

On the left-hand side menu bar, navigate to Analysis Tools and click on the Lookup Tools tab. Select the CAA checker from our list of lookup tools. 

Step 3: Enter Your Domain Name

Enter your company domain name (e.g. company.com) in the CAA record checker toolbox and hit the “Lookup” button.

caa-record-checker

Step 4: Review Authorized CAs 

Let the tool work its magic to display your list of CAs! Review authorized CAs and detect unauthorized ones easily. Our tool also highlights any related issues and the TTL corresponding to each certificate authority.

Step 5: Fix Any Issues

Review any issues in your CAA records to troubleshoot them promptly!

PowerDMARC’s Complete DNS & Email Security Suite

  • Beyond CAA Checking

    PowerDMARC offers hosted DMARC, Hosted SPF, Hosted DKIM, MTA-STS, TLS-RPT, and BIMI to avoid the hassle of manually implementing email authentication protocols and facing deliverability and authentication issues.

  • Seamless Integration

    Our Application Programmable Interface (PowerDMARC API) provides comprehensive control over your email authentication strategy. 

  • All-in-One Security Platform

    Our Application Programmable Interface (PowerDMARC API) provides comprehensive control over your email authentication strategy.

    • Extensive API endpoints for all features 
    • Automated configuration of email authentication protocols 
    • Smooth and hassle-free integration with third-party applications 
    • No necessity to change or update your current infrastructure
Take a tour

Frequently Asked Questions

If you don’t have a CAA record, any Certificate Authority (CA) can issue an SSL/TLS certificate for your domain. This increases the risk of unauthorized certificates being issued, which could lead to security vulnerabilities like phishing or man-in-the-middle attacks.

Yes, you can specify multiple CAs in your CAA record. This allows you to work with multiple trusted CAs while still restricting unauthorized ones from issuing certificates for your domain.

It’s a good practice to check your CAA records regularly, especially after making changes to your DNS settings or when onboarding a new CA. Regular checks ensure your records are correctly configured and compliant with security best practices.

A misconfigured CAA record can lead to SSL/TLS certificate issuance failures or unauthorized certificates being issued. Use PowerDMARC’s CAA Checker to identify and fix misconfigurations quickly, ensuring your domain remains secure.

Yes, PowerDMARC’s CAA Checker can validate CAA records for both your root domain and subdomains. It ensures that policies are correctly applied at every level, giving you complete control over certificate issuance.

 Secure Your SSL/TLS Certificates Today

Start 15-day trial Book a demo