CAA Record Check

Check which CAs are allowed to issue certificates via CAA records.

CAA (Certification Authority Authorization) Lookup checks, in real time, which certificate authorities (CAs) a domain allows to issue certificates. Enter a domain and the tool reads the CAA rules published in public DNS (issue, issuewild, iodef) and shows the allowed CAs and flags in a table.

CAA is a last line of defense against mis-issuance. With no record, any CA may issue; with a record, only the listed CAs may. It is also the first thing to check when certificate issuance is suddenly refused. Results are briefly cached for fast responses.

Domaine.g. example.com (domain only, no protocol or path)

How CAA works

Before issuing a certificate, CAs are required to look up the CAA records of the target domain (and its parents). If the CA is not on the allow list, it must refuse to issue. In effect, CAA is a single DNS line that declares "only these CAs may issue certificates for this domain."

issue: the CAs allowed to issue regular (non-wildcard) certificates
issuewild: CAs allowed specifically for wildcard (*.example.com) certificates
iodef: a contact (mailto: or URL) the CA uses to report policy violations
flag: 128 means critical — a CA that cannot understand it must refuse issuance

A Let's Encrypt example

To allow only Let's Encrypt to issue, configure the records below. Setting a value of just a semicolon, like issue ";", means no CA at all may issue.

example.com. CAA 0 issue "letsencrypt.org"
example.com. CAA 0 issuewild "letsencrypt.org"
example.com. CAA 0 iodef "mailto:security@example.com"

Things to watch when configuring

CAA follows the nearest record above it (if a subdomain has none, resolution walks up to the parent). When switching CAs or relying on automated renewal, a missing CA in the list causes issuance to fail silently. In multi-CA setups, list every CA you use on the issue lines. To see which CA actually issued the live certificate use the SSL Certificate Checker, and to view other DNS records on the same domain use the DNS Lookup.

Frequently asked questions

Is it risky to have no CAA record?

Not exactly risky, just unrestricted. Without CAA, any CA may issue. To harden security, list only the CAs you actually use.

Does adding CAA invalidate existing certificates?

No. CAA is checked only at issuance/renewal time and does not affect already-issued certificates. However, the next renewal can fail if the issuing CA is missing from the list.

Which CA name should I enter?

Use the CAA identifying domain the CA publishes. For example, Let's Encrypt uses letsencrypt.org and DigiCert uses digicert.com. Check each CA's documentation for the exact value.

Is the domain I enter sent anywhere?

Only the domain name is queried against a trusted public DNS resolver over DNS over HTTPS. No other data is transmitted, and results are cached for 60 seconds.

Related tools

SSL Error Message Decoder

Explain browser SSL errors like ERR_CERT_COMMON_NAME_INVALID.

SSL Certificate Checker

Check a domain's SSL certificate expiry, issuer, chain and TLS version live.

TLS Version Check

Check which TLS versions (1.0–1.3) a server supports and grade safety.

SSL Certificate Decoder

Paste a PEM certificate to decode subject, issuer, validity and SANs.

CSR Decoder

Paste a CSR to decode its subject and key information.

CIDR Calculator

Calculate IP range, subnet mask and host count from CIDR notation.