What Is a CAA Record?

The CAA (Certification Authority Authorization) record is a DNS record type defined by RFC 6844 (published in 2013). It lets the owner of a domain specify which certificate authorities (CAs) are permitted to issue SSL/TLS certificates for that domain.

Without a CAA record, any CA recognised by browsers — there are more than a hundred of them — can issue a certificate for your domain without your consent. This represents a significant risk if one of those CAs is compromised.

Why It Matters: The Symantec Incident

In 2017, Google discovered that Symantec (one of the world's largest CAs) had issued unauthorised certificates. Google ultimately revoked trust in more than 30,000 Symantec certificates and gradually excluded that CA from Chrome. This episode vividly illustrated the risks of having no control over certificate issuance.

That same year, the CA/Browser Forum (the consortium of browsers and certificate authorities) made CAA record checking mandatory for all CAs at the time of certificate issuance.

Structure of a CAA Record

A CAA record has three properties:

  • issue: authorises a CA to issue standard certificates for the domain
  • issuewild: authorises a CA to issue wildcard certificates (e.g. *.example.com) — must be declared separately
  • iodef: an email address or URL to notify in case of an unauthorised issuance attempt (incident report)

Example DNS zone to authorise only Let's Encrypt:

example.com. 3600 IN CAA 0 issue "letsencrypt.org"
example.com. 3600 IN CAA 0 issuewild "letsencrypt.org"
example.com. 3600 IN CAA 0 iodef "mailto:admin@example.com"

Checking Your CAA Record with dig

The dig command queries the CAA record of any domain directly:

dig CAA example.com

If the response is empty (no ANSWER section), your domain has no CAA record and any CA can issue a certificate for it. This is the default situation — and the riskiest one.

Impact When the CAA Record Is Missing

Without a CAA record, any certificate authority in the browser trust programme can legitimately issue a certificate for your domain. If one of those CAs is compromised through an attack or internal negligence, an attacker could obtain a valid certificate for your site and conduct man-in-the-middle attacks (interception of encrypted traffic) that are undetectable by visitors.

Adding a CAA record is a simple, free, defence-in-depth measure with no impact on visitors.

Secure Your Domain with a Complete Audit

The CAA record is only one of the many DNS security layers to check — alongside DNSSEC, SPF, DKIM and DMARC. Run a free audit to get a full DNS security assessment for your domain and identify missing or misconfigured records.