We are running in a testing phase — please be patient and share your feedback.
What Is a CAA Record and How to Restrict TLS Certificate Issuance

What Is a CAA Record and How to Restrict TLS Certificate Issuance

· 6 min read · Tomas Hojgr · DNS for Email
DNS https

What Is a CAA Record

CAA (Certification Authority Authorization) is a DNS record type that specifies which certificate authorities are allowed to issue TLS certificates for your domain. It is defined in RFC 8659 (obsoleting the earlier RFC 6844).

Without a CAA record, any public certificate authority can issue a TLS certificate for your domain. This means an attacker who successfully passes domain validation (e.g., through a compromised email or DNS) can obtain a valid certificate. A CAA record reduces this attack surface — a certificate authority not listed in the CAA record must refuse to issue.

Why CAA Records Exist

The public CA system relies on trust: browsers trust hundreds of CAs, each of which can issue a certificate for any domain. If even one CA has weak validation or gets compromised, an attacker can obtain a certificate for someone else's domain.

History confirms this risk. In 2011, the DigiNotar CA was fully compromised and a Comodo registration authority affiliate was exploited — in both cases, attackers obtained valid certificates for Google, Yahoo, and other major services. These incidents accelerated the development of mechanisms giving domain owners control over certificate issuance.

Since September 8, 2017, all public certificate authorities are required to check CAA records before issuing a certificate. If a CAA record exists and the CA is not listed, it must not issue. This requirement was established by CA/Browser Forum Ballot 187.

How CAA Works

A CAA record has three parts: flag, tag, and value.

example.com.  IN  CAA  0 issue "letsencrypt.org"
  • Flag (0): currently 0 is standard. A value of 128 means "critical" — a CA that does not understand this tag must not issue.
  • Tag: specifies the rule type (see below).
  • Value: the certificate authority identifier or other value.

CAA Tags

Tag Meaning
issue Authorizes a CA to issue standard certificates for the domain
issuewild Authorizes a CA to issue wildcard certificates (*.example.com)
iodef URL or email for reporting CAA policy violations

Examples

Allow only Let's Encrypt:

example.com.  IN  CAA  0 issue "letsencrypt.org"
example.com.  IN  CAA  0 issuewild ";"

This allows Let's Encrypt to issue standard certificates and explicitly prohibits all CAs from issuing wildcard certificates (the value ";" means "no one"). Without the issuewild line, wildcard issuance would be governed by the issue tag — meaning only Let's Encrypt could issue them.

Allow two CAs and receive violation reports:

example.com.  IN  CAA  0 issue "letsencrypt.org"
example.com.  IN  CAA  0 issue "digicert.com"
example.com.  IN  CAA  0 iodef "mailto:security@example.com"

Prohibit all certificate issuance:

example.com.  IN  CAA  0 issue ";"

This is useful for domains that do not use HTTPS and where you want to prevent anyone from obtaining a certificate.

CAA Record Inheritance

CAA records work hierarchically. If a subdomain has no CAA record of its own, the CA looks for a CAA record on the parent domain. The lookup continues up to the apex domain.

Example: for shop.example.com, the CA checks CAA records on:

  1. shop.example.com — if found, these apply
  2. example.com — if found, these apply
  3. com — if found, these apply

This means you only need to set CAA records on your apex domain and they automatically apply to all subdomains. If a specific subdomain needs different rules, give it its own CAA record.

How to Set Up CAA Records

1. Identify Which CAs You Use

Check who issued the current certificates for your domain and subdomains. Check your domain's HTTPS — the result shows the certificate issuer.

Alternatively, from the terminal:

openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -issuer

2. Add CAA Records to DNS

In your DNS management panel, add records of type CAA. Most DNS providers (Cloudflare, AWS Route 53, GoDaddy) support CAA as a dedicated record type.

For a domain using Let's Encrypt:

example.com.  IN  CAA  0 issue "letsencrypt.org"
example.com.  IN  CAA  0 issuewild "letsencrypt.org"
example.com.  IN  CAA  0 iodef "mailto:security@example.com"

3. Verify the Configuration

After adding the records, verify they are correctly published. Check them via DNS lookup or from the terminal:

dig example.com CAA +short

Expected output:

0 issue "letsencrypt.org"
0 issuewild "letsencrypt.org"
0 iodef "mailto:security@example.com"

CAA and DNSSEC

CAA records protect against unauthorized certificate issuance at the CA level. But what if an attacker spoofs the CAA record itself via DNS? If an attacker removes the CAA record through DNS spoofing, the CA sees no restrictions and issues the certificate.

DNSSEC solves this problem — it cryptographically signs DNS responses, including CAA records. The combination of CAA + DNSSEC provides complete protection: DNSSEC guarantees the authenticity of the DNS response and CAA restricts who may issue a certificate.

CAA in the Context of Email Security

CAA does not directly concern email authentication (SPF, DKIM, DMARC), but it connects to it through encrypted email transport:

  • MTA-STS requires a valid TLS certificate on the mail server. CAA ensures that only an authorized CA can issue that certificate.
  • Webmail and admin panels — login pages for email services must have valid HTTPS certificates. CAA prevents issuance of fraudulent certificates for these pages.

CAA is part of multi-layered domain protection: SPF, DKIM, and DMARC protect email authentication, DNSSEC protects DNS records, and CAA protects TLS certificate issuance. Check your domain's complete security — our analyzer verifies all layers at once.

Common CAA Configuration Mistakes

  • Unexpected issuewild fallback: if you do not set issuewild, wildcard certificate issuance is governed by the issue tag. This may be fine, but if you want to prohibit wildcards entirely, you must explicitly add issuewild ";". We recommend always setting both properties.
  • Missing CA in the record: after adding a CAA record with one CA, certificate renewal will fail if you use a different CA (for example, on a subdomain). Check all active certificates before configuring CAA.
  • Incorrect CA identifier: the value in issue must be the CA's exact identifier, not its brand name. For example, letsencrypt.org, not Let's Encrypt. The Common CA Database maintains a list of identifiers.

Summary

Property Value
DNS record type CAA (type 257)
Defined in RFC 8659
Mandatory checking since September 8, 2017
Main tags issue, issuewild, iodef
Inheritance Yes — from parent domain
Recommended complement DNSSEC

A CAA record is a simple but effective tool for controlling TLS certificate issuance for your domain. Setup takes just a few minutes and significantly reduces the risk of unauthorized certificate issuance.

Check your domain's HTTPS and certificates with our analyzer.

Related articles

What is DNSSEC and how does it work
DNS for Email

What is DNSSEC and how does it work

DNSSEC protects DNS responses with cryptographic signatures, preventing forgery of SPF, DKIM, DMARC, and MX records. Learn how it works and how to…

· 6 min read
DNS Records for Email — A Complete Guide
DNS for Email

DNS Records for Email — A Complete Guide

MX, TXT, CNAME, PTR — every DNS record you need for email delivery and security in one place. Examples, rules, and a ready-to-use checklist.

· 8 min read
MTA-STS and TLS-RPT — Securing Email Transport
Email Security

MTA-STS and TLS-RPT — Securing Email Transport

MTA-STS enforces encrypted TLS connections for inbound emails and prevents downgrade attacks. Learn how to deploy MTA-STS and TLS-RPT step by step.

· 8 min read