Key Takeaways
- A CAA record defines which Certificate Authorities can issue SSL/TLS certificates for your domain.
- It prevents unauthorized certificate issuance, reducing the risk of phishing or impersonation attacks.
- DNS-based enforcement ensures that only listed CAs can validate and issue certificates for your site.
- It aligns with the goals of compliance frameworks like NIST and PCI DSS by demonstrating strong control over certificate management.
- Combined with SPF, DKIM, and DMARC, CAA creates a full-spectrum defense for your web and email security.
Imagine your domain as a private digital venue where every visitor needs proof they’re in the right place. Certificate Authority Authorization (CAA) acts as your domain’s exclusive guest list, determining which Certificate Authorities (CAs) can issue SSL/TLS certificates on your behalf.
Without this record, any CA could issue a certificate for your domain , potentially allowing impersonators to pose as you. A properly configured CAA record strengthens your site’s credibility, prevents unauthorized certificate issuance, and ensures your brand’s digital identity remains protected.
What is a CAA Record?
A CAA record is a simple entry in your DNS that acts as your personal, public bouncer’s list. It explicitly tells the world: “Only these specific, pre-approved Certificate Authorities are allowed to issue SSL/TLS certificates for my domain.”
This isn’t just a polite suggestion; it’s a mandatory rule for Certificate Authorities, as defined by the CA/Browser Forum Baseline Requirements. Each CA must check your CAA record before issuing a certificate, and if they’re not authorized, they must refuse issuance.
Why Is CAA Important?
In a world without hackers, an open-door policy would have been fine. But the web is a bustling, chaotic city. A firm door policy, enforced by a CAA record, is essential for several reasons:
Prevents Impersonators
CAA records stop unauthorized CAs from issuing fraudulent certificates for your domain, which helps block digital con artists from setting up a convincing fake storefront next to yours.
Protects Your Reputation
A counterfeit certificate can be used in phishing attacks or “man-in-the-middle” schemes, linking your trusted brand to criminal activity. A CAA record is your first line of defense against this reputational damage.
Enforces Your Security Standards
You choose which CAs meet your security and vetting standards. CAA ensures that no one else, not a compromised partner, not a rogue employee, not a clever attacker, can bypass your choice.
It’s a Compliance Checkmark
For organizations adhering to strict security frameworks like NIST or PCI DSS, demonstrating control over certificate issuance isn’t just good practice, but often a requirement.
How Does a CAA Record Work?
When a CA receives a certificate request for your domain, it checks your DNS for the CAA record. The record itself is a clear instruction, composed of three parts: a flag, a tag, and a value.
The CAA record follows this structure:
example.com. IN CAA <flag> <tag> <value>
Typically, the flag is 0, and multiple records can coexist, one for each authorization instruction.
- Flag: The flag is usually set to 0. However, setting it to 128 (the ‘critical’ flag) instructs the CA to refuse issuance if it doesn’t recognize the tag, adding another layer of safety.
- Tag: This is the specific instruction. There are three main commands:
- issue: Grants a CA permission to issue standard certificates.
- issuewild: Grants permission for wildcard certificates (e.g., *.example.com). This can be assigned to the same or a different CA than the issue tag.
- iodef: This is the “report an incident” instruction. It provides an email address where a CA can send a notice if someone tried to get a certificate from them without authorization.
- Value: This is the name of the authorized CA or the reporting email address.
CAA Record Syntax | What It Means |
---|---|
example.com. IN CAA 0 issue “digicert.com” | “Only DigiCert can issue standard passes for this venue.” |
example.com. IN CAA 0 issuewild “sectigo.com” | “For all-access wildcard passes, only Sectigo is on the list.” |
example.com. IN CAA 0 iodef “mailto:[email protected]” | “If anyone else tries to get a pass, email the security manager immediately.” |
Setting Up a CAA Record
Setting up a CAA record is done in your DNS management console.
1. Enter Your DNS: Log in to your domain registrar or DNS provider.
2. Post a New Rule: Find the area to add a new DNS record.
3. Write the Instruction:
-
- Type: CAA
- Host/Name: Your domain (e.g., example.com)
- Tag: Choose issue, issuewild, or iodef.
- Value: Enter the CA’s domain name in quotes (e.g., “digicert.com”).
- Flag: Set it to 0.
4. Publish and Verify: Save the record. DNS changes can take time to spread across the internet. Use PowerDMARC’s online CAA checker to ensure your policy is visible and correct.
How PowerDMARC Can Help
PowerDMARC’s Certification Authority Authorization Checker is the tool you use to inspect your own door policy. It’s a powerful, free utility designed to instantly verify your CAA records and confirm that only your chosen CAs are on the list.
Step 1: Sign up with PowerDMARC for free
Signing up gives you access to a whole suite of DNS and email authentication tools to keep your domain secure.
Step 2: Go to Analysis Tools > Lookup Tools > CAA Checker
From the main menu, navigate to our Analysis Tools. You’ll find the CAA Checker in the Lookup Tools tab.
Step 3: Enter Your Domain Name
Enter the domain you want to inspect (e.g., powerdmarc.com) into the toolbox and hit the “Lookup” button.
Step 4: Review the Authorized List
The tool will immediately query your DNS and display your active CAA policy. You can review the authorized CAs and easily spot any that shouldn’t be there. The tool also highlights the TTL (Time to Live) for each record.
Step 5: Fix Any Issues
If the checker flags any misconfigurations or unauthorized entries, you can use the detailed information to go back to your DNS provider and troubleshoot them.
Important: A good CAA checker will help you prevent unauthorized certificate issuance, boost domain security, identify and troubleshoot misconfigurations effectively, as well as ensure compliance and better SSL certificate management.
Rookie Mistakes to Avoid
- Typos on the List: Spelling a CA’s name incorrectly (“digicert.co” instead of “digicert.com”) will block them outright.
- Forgetting the iodef Report: Not telling your bouncer where to send incident reports means you’ll never know if someone is testing your security.
- One-Size-Fits-All Policies: If you use one CA for standard domains and another for wildcards, you need two separate records (issue and issuewild).
CAA and Other DNS Security Protocols
Your CAA record is your front-door security, but what about the mailroom? This is where other DNS security protocols come in. SPF, DKIM, and DMARC are the security team that inspects every piece of mail (email) sent from your domain, ensuring it’s not forged.
While CAA protects your web identity, DMARC protects your email identity. Together, they form a comprehensive security detail, ensuring that every digital interaction associated with your domain is authentic and trustworthy.
The Final Word
Take full control over who issues SSL/TLS certificates for your domain. A CAA record acts as your authorized list of approved Certificate Authorities and blocks anyone else from creating a certificate in your name.
This is your great defense against phishing and brand impersonation attacks that can erode customer trust. But simply creating the record isn’t enough. To ensure it’s working correctly, regular verification is necessary. PowerDMARC provides the expert tools you need to not only check your CAA configuration but also to deploy a complete, multi-layered defense that integrates web and email security.
Don’t leave your certificate issuance process open to chance. Sign up with PowerDMARC today to use our free CAA Checker, validate your security posture, and gain complete visibility and control over your domain’s authentication protocols.
Frequently Asked Questions
What does a CAA record do?
A CAA record is a public policy in your DNS that declares which specific Certificate Authorities are permitted to issue SSL/TLS certificates for your domain.
Do I need a CAA record for my domain?
No, it is not mandatory for a website to function. But without one, any CA can issue a certificate for your domain if a request passes their validation. This creates a potential security risk.
Can I have multiple CAA records?
Absolutely. If you use more than one Certificate Authority, you simply create a separate issue or issuewild CAA record for each authorized provider.
What happens if I don’t set a CAA record?
If you have no CAA record, you are essentially telling the world you have no preference. This means any of the hundreds of CAs can issue a certificate for your domain, which significantly increases the surface area for potential mis-issuance, whether accidental or malicious.
- What is CAA? Understanding Certificate Authority Authorization - October 10, 2025
- What Is a TLS Handshake? Process and Importance - October 2, 2025
- Migrating Your DMARC Provider: An Actionable, Value-Added Guide - September 19, 2025