What Is a CAA Record?
A CAA record is a DNS record that tells certificate authorities which ones are allowed to issue TLS certificates for your domain. Short for Certificate Authority Authorization, a CAA record helps domain owners limit certificate issuance and reduce the chance of an unauthorized or mistaken certificate being created for their site.
If you are reviewing related topics, it also helps to understand /content/what-is-tls and /content/what-is-dnssec, since CAA sits at the intersection of certificate management and DNS security.
CAA record definition
A CAA record is a policy control stored in DNS. Its purpose is simple: let domain owners specify which public certificate authorities, or CAs, may issue certificates for a domain or subdomain.
Without a CAA record, any trusted public CA that successfully validates domain control could potentially issue a certificate. With a CAA record in place, the CA is expected to check DNS first and honor the allowed issuer list.
How a CAA record works
When a certificate authority receives a request for a TLS certificate, it should look up the domain’s CAA record before issuing the certificate.
At a high level, the process works like this:
- A domain owner publishes a CAA record in DNS
- The record identifies which CA or CAs may issue certificates
- A CA receives a certificate request for that domain
- The CA checks the CAA policy in DNS
- If the CA is authorized, issuance can proceed
- If not, the CA should refuse the request
This gives the domain owner a DNS-based way to control certificate issuance instead of relying only on account settings with a single certificate provider.
What a CAA record can specify
CAA records commonly define one or more of these policies:
- Which CA may issue standard certificates
- Which CA may issue wildcard certificates
- Where incident or policy-violation reports should be sent
The most common CAA tags are:
issue
The issue tag authorizes a CA to issue regular, non-wildcard certificates for the domain.
issuewild
The issuewild tag authorizes a CA to issue wildcard certificates, such as *.example.com.
iodef
The iodef tag tells a CA where to send reports about policy violations or certificate-related issues.
Why CAA records matter
CAA records matter because they reduce unnecessary trust in the certificate ecosystem. In most cases, certificate issuance is legitimate, but mistakes happen. A misconfiguration, validation problem, or compromised workflow could lead to a certificate being issued by a CA you never intended to use.
A CAA record helps reduce that risk by narrowing the list of allowed issuers.
That makes it useful for:
- Public websites
- APIs
- SaaS platforms
- Enterprise portals
- Organizations with multiple subdomains
- Teams that want tighter DNS and certificate governance
What a CAA record does not do
A CAA record is helpful, but it is not a complete certificate security solution. It does not:
- Encrypt traffic by itself
- Replace certificate lifecycle management
- Prevent expiration issues
- Eliminate the need to secure DNS
- Stop misuse if an authorized CA is involved
- Fix weak certificate deployment practices
If an attacker can modify your DNS records, they may also be able to change your CAA policy. That is why registrar security, DNS access control, and broader domain protection still matter.
CAA inheritance and subdomains
CAA records can be configured at the root domain or at specific subdomains. If a subdomain does not have its own CAA record, certificate authorities generally look up the DNS hierarchy to find a relevant policy from a parent domain.
For example:
example.comcan define a default issuance policyapi.example.comcan inherit that policypayments.example.comcan use a more restrictive policy
This flexibility is useful when different services or business units rely on different certificate providers.
Common CAA record examples
Here are a few common policy patterns.
Allow one CA for normal certificates
This allows a single CA to issue standard certificates for the domain.
example.com. IN CAA 0 issue "letsencrypt.org"
Allow one CA for wildcard certificates
This allows a CA to issue wildcard certificates.
example.com. IN CAA 0 issuewild "digicert.com"
Send incident reports
This asks certificate authorities to send policy-related reports to a specified address.
example.com. IN CAA 0 iodef "mailto:security@example.com"
Block all wildcard issuance
Some organizations choose not to allow wildcard certificates at all.
example.com. IN CAA 0 issuewild ";"
Operational considerations
CAA is simple, but it should still be deployed carefully. Before restricting certificate issuance, make sure you know:
- Which certificate authorities your organization actually uses
- Whether automated renewals depend on a specific CA
- Whether managed services request certificates on your behalf
- Whether wildcard certificates are required
- Who owns certificate operations for each important domain
A bad CAA configuration can block legitimate renewals and create avoidable outages.
For teams trying to improve operational security around domain administration, a password manager like 1Password can help reduce credential reuse and tighten access to registrar, DNS, and certificate accounts.
When you will encounter CAA records
You will usually encounter CAA records when working with DNS, TLS certificates, or public-facing services.
Website and API deployments
CAA often appears during HTTPS hardening or DNS cleanup for websites, APIs, portals, and SaaS applications.
Certificate automation
Teams using automated issuance and renewal commonly review CAA to ensure only approved providers can request certificates.
Security reviews and audits
Assessors often check for CAA as part of domain and PKI hygiene because it is relatively easy to implement and provides meaningful value.
Certificate investigations
If there is concern about unexpected certificate issuance, defenders may review CAA to confirm whether the domain policy allowed a given CA to issue a certificate.
Mature domain governance
Larger organizations are more likely to standardize CAA as part of formal domain governance, but smaller businesses can benefit too.
Related terms
DNS
The Domain Name System translates domain names into different kinds of information, including IP addresses and policy records like CAA.
TLS certificate
A TLS certificate helps support encrypted communication over HTTPS and other secure services. CAA helps control which authorities may issue those certificates.
Certificate authority
A certificate authority is a trusted organization that issues digital certificates after validating domain control or organizational identity.
PKI
Public Key Infrastructure is the broader trust system behind certificates, keys, validation, and certificate authorities.
DNSSEC
DNSSEC helps protect DNS responses from tampering. It does not replace CAA, but it complements it by improving trust in DNS data.
Wildcard certificate
A wildcard certificate covers a domain and its subdomains, such as *.example.com. CAA can apply different rules to wildcard issuance.
Best-practice takeaway
CAA is one of those rare security controls that is both simple and useful. It will not solve every certificate risk, but it gives you a clearer issuance policy, reduces accidental trust expansion, and adds a meaningful layer to domain security.
If your team manages public domains, TLS certificates, or customer-facing applications, CAA is worth reviewing alongside certificate renewal processes, DNS access controls, and endpoint hygiene with tools like Malwarebytes on administrative systems that manage critical infrastructure.
Bottom line
A CAA record is a DNS-based control that tells certificate authorities which ones may issue certificates for your domain. It does not replace good certificate management, but it is a practical way to reduce unauthorized issuance and strengthen domain security with very little overhead.
Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.