CAA Lookup
Control which certificate authorities can issue certificates
Check Certificate Authority Authorization (CAA) records for any domain.
Type a domain to check CAA records.
What is a CAA record?
CAA records let a domain owner define which certificate authorities are allowed to issue certificates for the domain.
Common CAA tags
Use issue, issuewild, and iodef tags to control standard certificates, wildcard certificates, and incident reporting.
Why it matters
CAA reduces the risk of mis-issuance by limiting which CAs can issue certificates for your domain.
CAA records explained
CAA records let you restrict which certificate authorities can issue SSL/TLS certificates for a domain.
Use issue for standard certificates, issuewild for wildcard certificates, and iodef for incident reporting. The critical flag tells CAs to enforce the rule.
Example CAA record
CAA entries are published at the domain root and include a tag plus a value.
| Host | Tag | Value | TTL |
|---|---|---|---|
| @ | issue | letsencrypt.org | 3600 |
| @ | iodef | mailto:[email protected] | 3600 |
Use issuewild when you want to restrict wildcard certificates.
Set the critical flag if CAs must understand the tag.
Error glossary
NXDOMAIN
The domain does not exist in DNS. Check the spelling or registration status.
SERVFAIL
The resolver failed to answer. This can be caused by DNSSEC issues or upstream outages.
Timeout
The DNS server did not respond in time. Try again or check connectivity.
Frequently Asked Questions
Do I need a CAA record?
CAA is optional, but recommended if you want to restrict which CAs can issue certificates for your domain.
What happens if there is no CAA record?
Any trusted certificate authority can issue a certificate for the domain.
What is the iodef tag used for?
The iodef tag provides a URL or email address where CAs can report certificate issuance issues.