# developer tools# website monitoring
CAA Records Explained and Why They Matter for SSL
A CAA (Certification Authority Authorisation) record is a DNS record that tells certificate authorities (CAs) which ones are permitted to issue SSL/TLS certificates for your domain. If a CA isn't listed in your CAA record, they must refuse to issue a certificate for your domain — even if the requestor can pass domain validation.
Since 2017, checking CAA records has been mandatory for all publicly-trusted CAs under CA/Browser Forum rules.
Why CAA Records Matter
Without a CAA record, any of the hundreds of publicly-trusted certificate authorities can issue a certificate for your domain. An attacker who compromises one CA, or social-engineers a CA's validation process, could obtain a certificate for your domain — enabling them to intercept HTTPS traffic.
CAA records reduce your attack surface by limiting which CAs can issue for your domain. If you only ever use Let's Encrypt, a CAA record restricting issuance to Let's Encrypt means a compromised DigiCert or Comodo can't be tricked into issuing for you.
CAA Record Syntax
yourdomain.com. IN CAA 0 issue "letsencrypt.org"
yourdomain.com. IN CAA 0 issue "digicert.com"
yourdomain.com. IN CAA 0 issuewild "letsencrypt.org"
yourdomain.com. IN CAA 0 iodef "mailto:[email protected]"
The three tag types:
issue— allows the named CA to issue single-domain and multi-SAN certificates for this domainissuewild— allows the named CA to issue wildcard certificates (*.yourdomain.com). If absent,issueapplies to wildcards tooiodef— specifies where the CA should report policy violations (email or HTTPS URL)
The flag value (0 or 128):
0— non-critical. If the CA doesn't understand the tag, proceed with default behaviour128— critical. If the CA doesn't understand the tag, refuse to issue
For most use cases, 0 is correct.
Common CAA Configurations
Let's Encrypt only:
yourdomain.com. IN CAA 0 issue "letsencrypt.org"
yourdomain.com. IN CAA 0 issuewild "letsencrypt.org"
Multiple CAs (e.g. Let's Encrypt for auto-renewal, DigiCert for EV):
yourdomain.com. IN CAA 0 issue "letsencrypt.org"
yourdomain.com. IN CAA 0 issue "digicert.com"
yourdomain.com. IN CAA 0 issuewild "letsencrypt.org"
Block all issuance (useful for domains that should never have certs):
yourdomain.com. IN CAA 0 issue ";"
yourdomain.com. IN CAA 0 issuewild ";"
With violation reporting:
yourdomain.com. IN CAA 0 issue "letsencrypt.org"
yourdomain.com. IN CAA 0 iodef "mailto:[email protected]"
Checking Your Current CAA Records
# Check CAA records
dig yourdomain.com CAA +short
# If no output, no CAA records exist — any CA can issue
# Check CAA at the authoritative nameserver
dig yourdomain.com CAA @ns1.yourprovider.com +short
You can also use SSL Labs' CAA test which reports CAA records alongside your SSL certificate grade.
CAA Records and Let's Encrypt
If you use Let's Encrypt for automatic certificate renewal, the relevant CAA value is letsencrypt.org:
yourdomain.com. IN CAA 0 issue "letsencrypt.org"
If you have a CAA record that doesn't include letsencrypt.org, Let's Encrypt will refuse to issue — which means your Certbot renewal will fail. This is a common cause of unexpected Let's Encrypt renewal failures. See Let's Encrypt renewal failed: common causes and fixes for the full diagnosis process.
CAA Records for Subdomains
CAA records are inherited by subdomains unless overridden. If you set a CAA record on yourdomain.com, it applies to www.yourdomain.com, api.yourdomain.com, etc. unless those subdomains have their own CAA records.
To allow a different CA for a specific subdomain:
api.yourdomain.com. IN CAA 0 issue "digicert.com"
This overrides the parent domain's CAA only for api.yourdomain.com.
What Happens If Your CAA Record Is Wrong
If your CAA record incorrectly excludes the CA you're trying to use:
- Let's Encrypt returns:
Error: CAA record for yourdomain.com prevents issuance - Other CAs refuse with a similar policy violation message
- Certificate renewal fails silently if you're not watching logs
This is why checking CAA records is part of any SSL troubleshooting process — see how to rotate SSL certificates without breaking your site for the full pre-rotation checklist.
Monitoring CAA Records
CAA records are DNS records — they can be inadvertently removed or changed during DNS migrations. A missing CAA record reopens your domain to issuance from any CA. Domain Monitor monitors your DNS records and alerts when any record changes unexpectedly, including CAA. Create a free account.
Also in This Series
- Nameservers vs DNS Records: What's the Difference?
- How to Change Nameservers Without Downtime
- DNSSEC Explained for Website Owners
- How to Monitor Nameserver Changes Across Client Domains
- Registrar Lock vs Transfer Lock: What's the Difference?
- How to Prevent Domain Hijacking With Registrar Security
- Why DNS Works in One Location but Fails in Another
More posts
What Is a Subdomain Takeover and How to Prevent It
A subdomain takeover lets an attacker claim your subdomain by exploiting dangling DNS records. Learn how it happens, real-world examples, and how DNS monitoring detects it.
Read moreWhat Is Mean Time to Detect (MTTD)?
Mean time to detect (MTTD) measures how long it takes to discover an incident after it starts. Reducing MTTD is one of the highest-leverage improvements in reliability engineering.
Read moreWhat Is Black Box Monitoring?
Black box monitoring tests your systems from the outside, the way users experience them — without access to internal code or infrastructure. Learn how it works and when to use it.
Read moreSubscribe to our PRO plan.
Looking to monitor your website and domains? Join our platform and start today.