A CAA record (Certification Authority Authorisation) is a DNS record type that specifies which Certificate Authorities (CAs) are allowed to issue SSL/TLS certificates for a domain. CAs are required to check for CAA records before issuing a certificate. If a CAA record exists and the CA is not listed, the CA must refuse to issue the certificate.
Why CAA Records Exist
In theory, any Certificate Authority could issue a certificate for any domain. CAA records let domain owners restrict this, reducing the risk of mis-issuance — either accidentally or through a compromised CA.
CAA Record Examples
example.com. IN CAA 0 issue "letsencrypt.org"
example.com. IN CAA 0 issue "digicert.com"
example.com. IN CAA 0 issuewild ";" ; Prevents wildcard issuance
example.com. IN CAA 0 iodef "mailto:[email protected]"CAA Record Tags
issue— Authorises a CA to issue standard certificates.issuewild— Authorises a CA to issue wildcard certificates (*.example.com). Set to";"to prohibit wildcards entirely.iodef— An email or URL where the CA should send violation reports.
Should You Add CAA Records?
CAA records are recommended for any domain where SSL security is critical — banking, healthcare, SaaS. For most websites, Let's Encrypt CAA records are sufficient. An empty/missing CAA record means any CA can issue certificates for the domain.