# developer tools# website monitoring
CAA Records Explained and Why They Matter for SSL
A CAA (Certification Authority Authorisation) record is a DNS record that tells certificate authorities (CAs) which ones are permitted to issue SSL/TLS certificates for your domain. If a CA isn't listed in your CAA record, they must refuse to issue a certificate for your domain — even if the requestor can pass domain validation.
Since 2017, checking CAA records has been mandatory for all publicly-trusted CAs under CA/Browser Forum rules.
Why CAA Records Matter
Without a CAA record, any of the hundreds of publicly-trusted certificate authorities can issue a certificate for your domain. An attacker who compromises one CA, or social-engineers a CA's validation process, could obtain a certificate for your domain — enabling them to intercept HTTPS traffic.
CAA records reduce your attack surface by limiting which CAs can issue for your domain. If you only ever use Let's Encrypt, a CAA record restricting issuance to Let's Encrypt means a compromised DigiCert or Comodo can't be tricked into issuing for you.
CAA Record Syntax
yourdomain.com. IN CAA 0 issue "letsencrypt.org"
yourdomain.com. IN CAA 0 issue "digicert.com"
yourdomain.com. IN CAA 0 issuewild "letsencrypt.org"
yourdomain.com. IN CAA 0 iodef "mailto:[email protected]"
The three tag types:
issue— allows the named CA to issue single-domain and multi-SAN certificates for this domainissuewild— allows the named CA to issue wildcard certificates (*.yourdomain.com). If absent,issueapplies to wildcards tooiodef— specifies where the CA should report policy violations (email or HTTPS URL)
The flag value (0 or 128):
0— non-critical. If the CA doesn't understand the tag, proceed with default behaviour128— critical. If the CA doesn't understand the tag, refuse to issue
For most use cases, 0 is correct.
Common CAA Configurations
Let's Encrypt only:
yourdomain.com. IN CAA 0 issue "letsencrypt.org"
yourdomain.com. IN CAA 0 issuewild "letsencrypt.org"
Multiple CAs (e.g. Let's Encrypt for auto-renewal, DigiCert for EV):
yourdomain.com. IN CAA 0 issue "letsencrypt.org"
yourdomain.com. IN CAA 0 issue "digicert.com"
yourdomain.com. IN CAA 0 issuewild "letsencrypt.org"
Block all issuance (useful for domains that should never have certs):
yourdomain.com. IN CAA 0 issue ";"
yourdomain.com. IN CAA 0 issuewild ";"
With violation reporting:
yourdomain.com. IN CAA 0 issue "letsencrypt.org"
yourdomain.com. IN CAA 0 iodef "mailto:[email protected]"
Checking Your Current CAA Records
# Check CAA records
dig yourdomain.com CAA +short
# If no output, no CAA records exist — any CA can issue
# Check CAA at the authoritative nameserver
dig yourdomain.com CAA @ns1.yourprovider.com +short
You can also use SSL Labs' CAA test which reports CAA records alongside your SSL certificate grade.
CAA Records and Let's Encrypt
If you use Let's Encrypt for automatic certificate renewal, the relevant CAA value is letsencrypt.org:
yourdomain.com. IN CAA 0 issue "letsencrypt.org"
If you have a CAA record that doesn't include letsencrypt.org, Let's Encrypt will refuse to issue — which means your Certbot renewal will fail. This is a common cause of unexpected Let's Encrypt renewal failures. See Let's Encrypt renewal failed: common causes and fixes for the full diagnosis process.
CAA Records for Subdomains
CAA records are inherited by subdomains unless overridden. If you set a CAA record on yourdomain.com, it applies to www.yourdomain.com, api.yourdomain.com, etc. unless those subdomains have their own CAA records.
To allow a different CA for a specific subdomain:
api.yourdomain.com. IN CAA 0 issue "digicert.com"
This overrides the parent domain's CAA only for api.yourdomain.com.
What Happens If Your CAA Record Is Wrong
If your CAA record incorrectly excludes the CA you're trying to use:
- Let's Encrypt returns:
Error: CAA record for yourdomain.com prevents issuance - Other CAs refuse with a similar policy violation message
- Certificate renewal fails silently if you're not watching logs
This is why checking CAA records is part of any SSL troubleshooting process — see how to rotate SSL certificates without breaking your site for the full pre-rotation checklist.
Monitoring CAA Records
CAA records are DNS records — they can be inadvertently removed or changed during DNS migrations. A missing CAA record reopens your domain to issuance from any CA. Domain Monitor monitors your DNS records and alerts when any record changes unexpectedly, including CAA. Create a free account.
Also in This Series
- Nameservers vs DNS Records: What's the Difference?
- How to Change Nameservers Without Downtime
- DNSSEC Explained for Website Owners
- How to Monitor Nameserver Changes Across Client Domains
- Registrar Lock vs Transfer Lock: What's the Difference?
- How to Prevent Domain Hijacking With Registrar Security
- Why DNS Works in One Location but Fails in Another
More posts
Wildcard vs SAN vs Single-Domain SSL Certificates: Which Do You Need?
Wildcard, SAN (multi-domain), and single-domain SSL certificates cover different use cases. Here's a clear comparison to help you pick the right type — and avoid paying for coverage you don't need.
Read moreWhy DNS Works in One Location but Fails in Another
DNS resolves correctly from your office but fails for users in other countries or on different ISPs. Here's why geographic DNS inconsistency happens and how to diagnose which layer is causing it.
Read moreRegistrar Lock vs Transfer Lock: What's the Difference?
Registrar lock and transfer lock are often confused — and disabling the wrong one leaves your domain vulnerable. Here's a clear breakdown of what each does and when to use them.
Read moreSubscribe to our PRO plan.
Looking to monitor your website and domains? Join our platform and start today.