What Is a CAA Record? DNS Security Guide
by
Reading Time: 7 min
Key Takeaways
- A CAA record defines which Certificate Authorities can issue SSL/TLS certificates for your domain.
- It prevents unauthorized certificate issuance, reducing the risk of phishing or impersonation attacks.
- DNS-based enforcement ensures that only listed CAs can validate and issue certificates for your site.
- It aligns with the goals of compliance frameworks like NIST and PCI DSS by demonstrating strong control over certificate management.
- Combined with SPF, DKIM, and DMARC, CAA creates a full-spectrum defense for your web and email security.
A Certificate Authority Authorization (CAA) record is a DNS record type that allows domain owners to specify which Certificate Authorities (CAs) are permitted to issue SSL/TLS certificates for their domain. In simple terms, it acts as a control mechanism that limits certificate issuance to trusted providers, reducing the risk of unauthorized or fraudulent certificates.
If you’re asking what is a CAA record, it’s essentially a way to protect your domain’s digital identity at the DNS level. Without a CAA record in place, any trusted CA can issue a certificate for your domain, which could enable impersonation or misuse. A properly configured CAA record strengthens site credibility, prevents unauthorized certificate issuance, and adds an important layer of security to your overall domain protection strategy.
What is a CAA Record?
A CAA record is a simple entry in your DNS that acts as your personal, public bouncer’s list. It explicitly tells the world: “Only these specific, pre-approved Certificate Authorities are allowed to issue SSL/TLS certificates for my domain.”
This isn’t just a polite suggestion; it’s a mandatory rule for Certificate Authorities, as defined by the CA/Browser Forum Baseline Requirements. Each CA must check your CAA record before issuing a certificate, and if they’re not authorized, they must refuse issuance.
Why Is CAA Important?
In a world without hackers, an open-door policy would have been fine. But the web is a bustling, chaotic city. A firm door policy, enforced by a CAA record, is essential for several reasons:
Prevents impersonators
CAA records stop unauthorized CAs from issuing fraudulent certificates for your domain, which helps block digital con artists from setting up a convincing fake storefront next to yours.
Protects your reputation
A counterfeit certificate can be used in phishing attacks or “man-in-the-middle” schemes, linking your trusted brand to criminal activity. A CAA record is your first line of defense against this reputational damage.
Enforces your security standards
You choose which CAs meet your security and vetting standards. CAA ensures that no one else, not a compromised partner, not a rogue employee, not a clever attacker, can bypass your choice.
It’s a compliance checkmark
For organizations adhering to strict security frameworks like NIST or PCI DSS, demonstrating control over certificate issuance isn’t just good practice, but often a requirement.
How Does a CAA Record Work?
When a CA receives a certificate request for your domain, it checks your DNS for the CAA record. The record itself is a clear instruction, composed of three parts: a flag, a tag, and a value.
The CAA record follows this structure:
example.com. IN CAA <flag> <tag> <value>
Typically, the flag is 0, and multiple records can coexist, one for each authorization instruction.
- Flag: The flag is usually set to 0. However, setting it to 128 (the ‘critical’ flag) instructs the CA to refuse issuance if it doesn’t recognize the tag, adding another layer of safety.
- Tag: This is the specific instruction. There are three main commands:
- issue: Grants a CA permission to issue standard certificates.
- issuewild: Grants permission for wildcard certificates (e.g., *.example.com). This can be assigned to the same or a different CA than the issue tag.
- iodef: This is the “report an incident” instruction. It provides an email address where a CA can send a notice if someone tried to get a certificate from them without authorization.
- Value: This is the name of the authorized CA or the reporting email address.
| CAA Record Syntax | What It Means |
|---|---|
| example.com. IN CAA 0 issue “digicert.com” | “Only DigiCert can issue standard passes for this venue.” |
| example.com. IN CAA 0 issuewild “sectigo.com” | “For all-access wildcard passes, only Sectigo is on the list.” |
| example.com. IN CAA 0 iodef “mailto:[email protected]” | “If anyone else tries to get a pass, email the security manager immediately.” |
Common CAA Tags and What They Do
CAA records use specific tags to control how certificate authorities can issue SSL/TLS certificates for your domain. Each tag serves a distinct purpose and applies to different certificate scenarios:
-issue
The issue tag authorizes specific certificate authorities to issue standard SSL/TLS certificates for your domain. It is used when you want to explicitly allow one or more trusted CAs and block all others from issuing certificates.
-issuewild
The issuewild tag controls which certificate authorities are allowed to issue wildcard certificates for your domain (for example, *.example.com). This tag is only relevant if you use wildcard certificates and want separate control over their issuance.
-iodef
The iodef tag defines where certificate authorities should send reports if an unauthorized or invalid certificate issuance attempt occurs. These reports are typically sent to an email address or URL, helping domain owners detect and respond to potential abuse.
Together, these tags give domain owners much tighter control over how certificates are issued, while also making it easier to spot misuse or misconfiguration attempts early, before they turn into something bigger.
How to Set Up a CAA Record
Setting up a CAA record is done in your DNS management console.
1. Enter Your DNS: Log in to your domain registrar or DNS provider.
2. Post a New Rule: Find the area to add a new DNS record.
3. Write the Instruction:
-
- Type: CAA
- Host/Name: Your domain (e.g., example.com)
- Tag: Choose issue, issuewild, or iodef.
- Value: Enter the CA’s domain name in quotes (e.g., “digicert.com”).
- Flag: Set it to 0.
4. Publish and Verify: Save the record. DNS changes can take time to spread across the internet. Use PowerDMARC’s online CAA checker to ensure your policy is visible and correct.
How PowerDMARC Can Help
PowerDMARC’s Certification Authority Authorization Checker is the tool you use to inspect your own door policy. It’s a powerful, free utility designed to instantly verify your CAA records and confirm that only your chosen CAs are on the list.
Step 1: Sign up with PowerDMARC for free
Signing up gives you access to a whole suite of DNS and email authentication tools to keep your domain secure.
Step 2: Go to Analysis Tools > Lookup Tools > CAA Checker
From the main menu, navigate to our Analysis Tools. You’ll find the CAA Checker in the Lookup Tools tab.
Step 3: Enter Your Domain Name
Enter the domain you want to inspect (e.g., powerdmarc.com) into the toolbox and hit the “Lookup” button.
Step 4: Review the Authorized List
The tool will immediately query your DNS and display your active CAA policy. You can review the authorized CAs and easily spot any that shouldn’t be there. The tool also highlights the TTL (Time to Live) for each record.
Step 5: Fix Any Issues
If the checker flags any misconfigurations or unauthorized entries, you can use the detailed information to go back to your DNS provider and troubleshoot them.
Important: A good CAA checker will help you prevent unauthorized certificate issuance, boost domain security, identify and troubleshoot misconfigurations effectively, as well as ensure compliance and better SSL certificate management.
Rookie Mistakes to Avoid
- Typos on the List: Spelling a CA’s name incorrectly (“digicert.co” instead of “digicert.com”) will block them outright.
- Forgetting the iodef Report: Not telling your bouncer where to send incident reports means you’ll never know if someone is testing your security.
- One-Size-Fits-All Policies: If you use one CA for standard domains and another for wildcards, you need two separate records (issue and issuewild).
When You Should Use a CAA Record
A CAA record is strongly recommended for any domain that uses SSL/TLS certificates, especially when certificate misuse could lead to security, trust, or compliance issues. By restricting which certificate authorities can issue certificates for your domain, CAA reduces the risk of unauthorized or accidental certificate issuance.
CAA is particularly important for enterprises managing multiple domains or subdomains, ecommerce businesses handling sensitive customer data, and organizations operating customer-facing websites where trust is critical. It is also highly valuable for companies working with multiple teams or vendors, where certificate management may be distributed and harder to control centrally.
Controlling CA authorization becomes essential in environments where a compromised or misissued certificate could enable impersonation, man-in-the-middle attacks, or brand damage. Even smaller organizations and informational websites benefit from enforcing CAA restrictions, as any domain using SSL relies on certificate integrity. Implementing a CAA record provides an added layer of control and visibility that strengthens overall domain security regardless of organization size.
Conclusion
Take full control over who issues SSL/TLS certificates for your domain. A CAA record acts as your authorized list of approved Certificate Authorities and blocks anyone else from creating a certificate in your name.
This is your great defense against phishing and brand impersonation attacks that can erode customer trust. But simply creating the record isn’t enough. To ensure it’s working correctly, regular verification is necessary. PowerDMARC provides the expert tools you need to not only check your CAA configuration but also to deploy a complete, multi-layered defense that integrates web and email security.
Don’t leave your certificate issuance process open to chance. Sign up with PowerDMARC today to use our free CAA Checker, validate your security posture, and gain complete visibility and control over your domain’s authentication protocols.
Frequently Asked Questions (FAQs)
What does a CAA record do?
A CAA record is a public policy in your DNS that declares which specific Certificate Authorities are permitted to issue SSL/TLS certificates for your domain.
Do I need a CAA record for my domain?
No, it is not mandatory for a website to function. But without one, any CA can issue a certificate for your domain if a request passes their validation. This creates a potential security risk.
Can I have multiple CAA records?
Absolutely. If you use more than one Certificate Authority, you simply create a separate issue or issuewild CAA record for each authorized provider.
What happens if I don’t set a CAA record?
If you have no CAA record, you are essentially telling the world you have no preference. This means any of the hundreds of CAs can issue a certificate for your domain, which significantly increases the surface area for potential mis-issuance, whether accidental or malicious.
Domain & Email Security Expert at PowerDMARC
Yunes is an Operations Team Lead at PowerDMARC with expert knowledge in email authentication and security. Yunes is a Microsoft-certified Azure Administrator Associate with certifications in CompTIA A+ and many more.
Latest posts by Yunes Tarada (see all)
- What Is a CAA Record? DNS Security Guide - December 24, 2025
- Is It Safe to Open Spam Emails? Risks & Safety Tips - December 16, 2025
- Top 15 Cybersecurity Metrics Every Team Should Track - December 15, 2025
