What is a CAA record?

Home / Everything About / Everything About Domains / What is a CAA record?

If you have been following the chapters on DNS record types, you know that each record in your DNS zone serves a specific purpose. A records point to servers. MX records route email. TXT records handle verification and email security. A CAA record does something different. It controls who is allowed to issue SSL certificates for your domain name.

Without a CAA record, any certificate authority in the world can issue a certificate for your domain if someone requests one. That might sound harmless, but it opens the door to certificates being issued by authorities you never chose and never approved. Adding a CAA record closes that door and puts you in control.

What does CAA stand for?

CAA stands for certificate authority authorization. The name says exactly what the record does. It authorizes specific certificate authorities (CAs) to issue SSL certificates for your domain and tells all other CAs to refuse.

Certificate authorities are the organizations responsible for verifying that a domain owner is who they say they are, then issuing the SSL certificate that enables HTTPS. There are dozens of CAs operating around the world. Without a CAA record, your domain is open to all of them. With one, you choose which ones have permission.

What does a CAA record look like?

A CAA record has three main parts that work together. Here is what each one means.

  • Flag is a number that controls how the record is handled. For most setups, this is set to 0. A flag of 128 tells a CA that if it does not understand the record tag, it must refuse to issue the certificate rather than ignore the record
  • Tag tells the CA what kind of permission or instruction this record contains. There are three tag types, explained in detail below
  • Value is the name of the certificate authority being authorized or the contact address for reporting. This is always wrapped in quotes

Here is what a simple CAA record looks like in a DNS panel.

  • Hostname set to @
  • Type set to CAA
  • Flag set to 0
  • Tag set to issue
  • Value set to "letsencrypt.org"

That record says one thing. Only Let's Encrypt is allowed to issue standard SSL certificates for this domain. Any other CA that receives a certificate request for your domain must check your CAA records first and refuse if they are not on the list.

What are the three CAA record tag types?

Each CAA record uses one of three tags. The tag tells certificate authorities what kind of instruction the record contains.

The "issue" tag

The issue tag is the most common. It names a certificate authority that is allowed to issue standard SSL certificates for your domain. If you want to allow two different CAs, you add two separate CAA records, each with the issue tag and a different CA name.

For example, if your domain uses certificates from both Let's Encrypt and DigiCert, you would have two CAA records.

  • 0 issue "letsencrypt.org"
  • 0 issue "digicert.com"

If you want to block all certificate issuance entirely, you can set the issue value to a semicolon with nothing after it. That tells every CA in the world that nobody is authorized to issue certificates for your domain.

The "issuewild" tag

The issuewild tag works the same way as issue, but it only applies to wildcard certificates. A wildcard certificate covers your main domain and all its subdomains at once (like *.yourdomain.com).

If you set an issuewild record, it controls which CAs can issue wildcard certificates separately from who can issue regular ones. This is useful if you want one CA handling your standard certificates and a different CA handling wildcard certificates, or if you want to block wildcard certificates entirely while still allowing standard ones.

If no issuewild record exists, the issue tag applies to both standard and wildcard certificates by default.

The "iodef" tag

The iodef tag does not control who can issue certificates. Instead, it tells CAs where to send a report if someone tries to request a certificate that violates your CAA policy.

The value is usually an email address or a URL. For example.

  • 0 iodef "mailto:security@yourdomain.com"

This means if a CA receives a certificate request for your domain and your CAA record says that CA is not authorized, the CA should send a notification to that email address. Not all CAs support iodef reporting, but the ones that do will give you visibility into unauthorized certificate requests.

How do you add a CAA record?

Adding a CAA record follows a similar process to adding any other DNS record. If you have added a TXT record or an A record before, this will feel familiar.

  1. Log in to the DNS management panel where your domain's nameservers are set. This is usually your domain registrar or your hosting provider
  2. Find the DNS records section or DNS zone editor
  3. Click the option to add a new record
  4. Select CAA as the record type
  5. Set the flag to 0 unless you have a specific reason to use 128
  6. Choose the tag type. Use "issue" for standard certificates, "issuewild" for wildcard certificates, or "iodef" for violation reports
  7. Enter the value. For issue and issuewild, this is the domain name of the CA (like "letsencrypt.org"). For iodef, this is an email address or reporting URL
  8. Save the record

If you want to authorize more than one CA, add a separate CAA record for each one. DNS changes can take anywhere from a few minutes to 48 hours to propagate. For more on how that works, read the chapter on how DNS works.

Do you need a CAA record?

A CAA record is not required. Your domain will work perfectly fine without one, and your SSL certificate will still function. But having one adds a useful layer of domain security that costs nothing to set up.

Without a CAA record, any certificate authority can issue an SSL certificate for your domain if someone requests one. In most cases, this is not a problem because CAs have their own verification steps. But those steps are not foolproof. There have been cases where certificates were issued to the wrong people, either through mistakes or through CAs with weaker validation processes.

With a CAA record in place, only the CAs you have specifically named can issue certificates. Every other CA is required to refuse, even if the person requesting the certificate passes their normal checks. It is a small addition to your DNS zone that reduces an entire category of risk.

What happens if your CAA record blocks a legitimate request?

If you add a CAA record naming one CA and then try to get a certificate from a different CA, the request will fail. The CA will check your CAA records, see that it is not authorized, and refuse to issue the certificate.

This is not a bug. It is the whole point. But it means you need to keep your CAA records in sync with whichever CA your hosting provider or website platform uses. If you switch hosting providers and the new provider uses a different CA, you will need to update your CAA records to include the new one.

The fix is simple. Either add a new CAA record for the new CA or update the existing one. The important thing is to check your CAA records whenever you change your SSL provider or hosting setup.

How WEMASY handles CAA records

When you build a website with WEMASY and connect a custom domain, WEMASY provisions and manages your SSL certificate automatically. If you want to add a CAA record for extra security, WEMASY's domain setup guide tells you which CA to authorize so your certificate renewal is never blocked.

WEMASY handles SSL, hosting, and domain configuration under one roof, so you do not need to worry about mismatched CAA records breaking your certificate. If you do add a CAA record, just make sure it includes the CA that WEMASY uses. See what is included in each plan on the WEMASY pricing page.

What comes next

Now that you understand how a CAA record controls which certificate authorities can issue SSL certificates for your domain, the next chapter covers SRV records. SRV records tell the internet where to find specific services running on your domain, like VoIP or chat servers. For an overview of all record types and when to use each one, see the chapter on DNS record types.

Frequently asked questions

Does a CAA record affect your website speed or uptime?

What happens if you have no CAA records at all?

Can you have CAA records on subdomains?

How do you find out which CA your hosting provider uses?

Will a CAA record prevent someone from creating a fake version of your site?