Skip to main content

CAA record explained: control your SSL certificates

Published on June 19, 2026 7 min read

A CAA record defines which certificate authorities may issue an SSL certificate for your domain. Learn how to set one up and check it.

Flat illustration of a person beside a large padlock shield in front of a globe, with a gate that filters certificate seals and lets one through marked by an amber checkmark.

A CAA record is a DNS setting that lets you define which certificate authorities (CAs) are allowed to issue an SSL certificate for your domain. It helps prevent a wrong or fraudulent certificate from being created for your domain. This guide explains what a CAA record does, how it is structured, and how to set one up and check it yourself.

What is a CAA record?

CAA stands for Certification Authority Authorization. It is a separate type of DNS record, known technically as type 257, defined in the internet standard RFC 8659. With a CAA record you tell certificate authorities which parties may and may not create a TLS or SSL certificate for your domain.

A certificate authority, or CA for short, is the organization that issues SSL certificates. Well-known examples are Let's Encrypt, Sectigo, and DigiCert. Without a CAA record, any publicly trusted CA can issue a certificate for your domain. With a CAA record, you limit that to the CAs you explicitly allow.

Why set up a CAA record?

The purpose of a CAA record is to prevent certificates from being issued incorrectly. When someone requests a certificate for your domain from any CA, that CA first checks your CAA record. If the CA is not listed, it refuses the request.

This check has been mandatory since 8 September 2017. The CA/Browser Forum, the group of certificate authorities and browser makers, states in its Baseline Requirements that every publicly trusted CA must consult the CAA record before issuing a certificate. If you use a free CA such as Let's Encrypt, it follows the same rule.

Setting up a CAA record is not required, but it is a simple extra layer of security for your domain.

What does a CAA record look like?

Every CAA record has three parts: a flag, a tag, and a value. Here is an example:

example.com.   CAA   0 issue "letsencrypt.org"

In this example, 0 is the flag, issue is the tag, and letsencrypt.org is the value. Below is what each part means.

The flag

The flag is a number between 0 and 255. In almost all cases you use 0. The value 128 turns on the so-called critical flag: if a CA does not recognize the tag, it must then refuse the request. For the standard tags below, simply leave the flag at 0.

The tag

The tag determines what the record controls. There are three tags:

TagMeaning
issueAuthorizes a CA to issue certificates for the domain.
issuewildThe same as issue, but for wildcard certificates such as *.example.com. If at least one issuewild record exists, it overrides issue for wildcard requests.
iodefAn address (mailto: or https://) where a CA sends reports about requests that are not allowed.

The value

For the issue and issuewild tags, the value is the identifier of the CA, for example letsencrypt.org. An empty value, written as a semicolon, means that no CA at all may issue a certificate:

example.com.   CAA   0 issue ";"

If you want to allow more than one CA, add a separate issue record for each one:

example.com.   CAA   0 issue "letsencrypt.org"
example.com.   CAA   0 issue "sectigo.com"

Common CA identifiers

These are the values for a number of well-known certificate authorities. Always check the documentation of your own CA, because some CAs use more than one identifier.

Certificate authorityValue in the record
Let's Encryptletsencrypt.org
DigiCertdigicert.com
Sectigosectigo.com
GlobalSignglobalsign.com
Google Trust Servicespki.goog
Amazonamazon.com

Adding a CAA record

Just like an A record or a TXT record, you add a CAA record in the DNS management of your domain. At LJPc hosting you do this in the DNS settings of your zone, with fields for the name, the flag, the tag, the value, and the TTL.

  1. Open the DNS management of your domain and choose to add a new record.
  2. Select CAA as the type.
  3. Enter the domain or subdomain in the name field. For the whole domain you usually use @ or the domain name itself.
  4. Set the flag to 0.
  5. Choose the issue tag for regular certificates, issuewild for wildcard certificates, or iodef for reports.
  6. Enter the value, for example letsencrypt.org.
  7. Leave the TTL at the default, often 3600 seconds, and save the record.

Important: always add the CA that you use. If you forget, creating or renewing your certificate will fail.

Subdomains, wildcards, and how CAs find the record

A CA finds the CAA record by working up the domain name, from the most specific name toward the root. It first looks at the exact name, for example www.example.com. If it finds no CAA record there, it tries example.com, and so on up to just below the root. The first set of records it encounters is the one that counts.

Because of this, a CAA record on your main domain automatically applies to all subdomains. If you want to allow a different CA for a subdomain, you place a separate CAA record on that subdomain. For that name, the separate record replaces the rules of the main domain.

For wildcard certificates, such as *.example.com, there is a dedicated tag: issuewild. If at least one issuewild record is present, it applies to wildcards and the regular issue tag is ignored for wildcards. If there is no issuewild, the issue tag also decides whether wildcards are allowed. With issuewild ";" you block wildcard certificates entirely.

Checking your CAA record

After you save a CAA record, you can check whether it is correct. On macOS and Linux you use the dig command:

dig CAA example.com +short

On Windows you use nslookup:

nslookup -type=CAA example.com

There are also online CAA checkers that let you verify the same thing without using the command line.

Common problems

Running into an issue? This table points you in the right direction.

ProblemCauseSolution
A certificate cannot be created or renewedYour CAA record does not allow the CA you useAdd the correct CA with an issue tag, for example letsencrypt.org
A wildcard certificate is refusedAn issuewild record is present that does not name the CAAdjust the issuewild tag or add the correct CA
A change does not take effect right awayThe old value is still cached (TTL)Wait until the TTL has expired, sometimes up to 24 or 48 hours
The CA cannot read the recordA DNS or DNSSEC error (SERVFAIL)Check your zone and your DNSSEC settings

CAA compared to DNSSEC and DANE

A CAA record protects the moment of issuance: it decides who may create a certificate. It does not check the connection itself and does not stop a CA that ignores the rules. So it is a valuable measure, but not an airtight one.

You can combine CAA with other techniques. With DNSSEC you sign your DNS data, so a CA can trust that your CAA record was not altered along the way. DANE goes a step further and lets visitors verify, while setting up the connection, that the certificate is correct. Where CAA works at issuance, DANE works at the connection.

With a CAA record, you stay in control of who may issue certificates for your domain. Need help? Contact our support team and we will be glad to help.

Frequently asked questions

Is a CAA record required?

No, setting up a CAA record is not required. It is recommended, though, because it gives you extra control over who may issue certificates for your domain. If you have no CAA record, any publicly trusted CA can issue a certificate.

What happens if I have no CAA record?

Without a CAA record, any publicly trusted certificate authority may issue a certificate for your domain. With a CAA record, you limit that to the CAs you have listed, and every other CA must reject the request.

Does a CAA record fully block an attacker?

No. A CAA record is only checked at issuance, and only by CAs that follow the rules. It does not stop a CA that ignores the rules, and it does not invalidate a certificate that was already stolen. It mainly reduces the chance of certificates being issued incorrectly by trusted CAs.

Does a CAA record also apply to my subdomains?

Yes. A CA works up the name from the most specific part and uses the first CAA record it finds. As a result, a record on your main domain also applies to subdomains, unless a subdomain has its own CAA record. That separate record then counts for that name.

How long does it take for a CAA record to become active?

A new or changed CAA record is active as soon as the DNS change has propagated. How long that takes depends on the TTL of the record. In practice, expect a few minutes up to 24 or 48 hours.

Which value do I use for Let's Encrypt?

For Let's Encrypt you use the value letsencrypt.org. A complete record then looks like this: 0 issue "letsencrypt.org". If you also want to allow wildcard certificates through Let's Encrypt, add an issuewild record with the same value.

Prefer to talk to someone?

We are also happy to answer your questions personally. Schedule a free consultation or call us directly. We are glad to think along with you.

Stay up to date with recent developments! Subscribe and receive our newsletter Signing up... Thank you for subscribing! Something went wrong. Please try again later.