Home/Knowledge Hub/CAA Records: Who Can Issue Certificates for Your Domain
← Back to Knowledge Hub

CAA Records: Who Can Issue Certificates for Your Domain

DNS & NetworkSecurity·June 3, 2026·5 min read

CAA records tell certificate authorities which providers are allowed to issue SSL certificates for your domain, helping prevent phishing and impersonation.…

How CAA Records Work

Your customer visits your website and sees a padlock icon in the address bar. That padlock means the site is secured with an SSL/TLS certificate, issued by a company called a Certificate Authority (CA). But what if someone else managed to get a certificate for your domain and set up a fake website that looks exactly like yours? That’s where a CAA record helps. CAA stands for Certificate Authority Authorization. It’s a small, simple instruction you add to your domain’s DNS (the internet’s phonebook) that lists exactly which certificate authorities are allowed to issue certificates for your domain. Think of it like a guest list at a private event: only the people on the list get in. If a CA isn’t on your CAA record, they’re supposed to refuse to issue a certificate for your domain. Without a CAA record, any certificate authority—there are hundreds worldwide—can issue a certificate for your domain. That means if an attacker compromises or tricks a less trustworthy CA, they could obtain a valid certificate for your site and use it to impersonate you. A CAA record puts you in control of who can hand out those keys.

Real-World Analogy

Imagine your office building has a strict policy: only "SecureKeys Co." is allowed to duplicate keys for the front door. The building manager posts a notice in the lobby: "Only SecureKeys Co. may duplicate keys." That notice is like a CAA record. Any other locksmith who sees the notice knows they’re not allowed to cut a key, even if a tenant asks. It’s a public instruction that binds everyone.

In Plain English

Here’s what happens when a certificate is requested: Someone (maybe you, maybe an attacker) asks a certificate authority to issue an SSL certificate for yourdomain.com. The CA, before doing anything, looks up your domain’s DNS records. If a CAA record exists, the CA reads it and checks whether its own name is on the allowed list. If it is, the process continues normally. If it isn’t, the CA must refuse to issue the certificate. If there’s no CAA record at all, the CA is free to issue—no questions asked. This check happens automatically in seconds, and it’s invisible to your website visitors.

Technical Details
— the first number is a flag (almost always 0), means this CA can issue any certificate type for your domain, and is the CA’s domain.
— use if you need wildcard certificates (like ).
You can have multiple CAA records for different certificate authorities. Just add one record per CA.
Some CAs may require additional tags like for sending violation reports, but those are optional for most setups.
The CAA check works for your domain and all its subdomains unless a subdomain has its own CAA record that overrides the parent.

Why It Matters for Your Business

Your domain is your online identity. If someone gets a valid certificate for it, they can trick your customers into thinking a phishing site is the real you. That can lead to stolen credentials, financial loss, and damage to your reputation. A CAA record is a straightforward insurance policy against that risk.

When you rely on a specific certificate authority—perhaps you’ve purchased an Extended Validation certificate from a particular vendor, or you use a free service like Let’s Encrypt—a CAA record ensures no other CA accidentally or maliciously issues a competing certificate. It also helps you meet security compliance requirements, as many standards now expect organizations to restrict certificate issuance.

Even if you’re not technical, this matters. If your marketing site gets spoofed, customers lose trust. If your internal login portal gets cloned, your team could get phished. Setting a CAA record is a simple way to tell the world: "Only these trusted providers can vouch for my domain."

Common Issues and Warning Signs

A CAA record isn’t a set-and-forget magic bullet. Problems can arise if it’s misconfigured or forgotten. Here are some red flags that suggest your CAA setup needs attention.

Common Issues

You recently switched certificate providers (e.g., from DigiCert to Let’s Encrypt) but can’t get a new certificate issued. Your CAA record likely still lists only the old authority, causing the new CA to refuse.
Your TechSpy DNS scan shows a missing CAA record for your domain. Without one, any CA can issue certificates, increasing your risk of impersonation.
You use wildcard certificates (e.g., ) but your CAA record only has tags. Some CAs will deny wildcard requests unless an tag explicitly authorizes them.
A new subdomain (like ) can’t get its own certificate. By default, a CAA record on the main domain applies to all subdomains. If the subdomain needs a certificate from a different CA, you may need an explicit CAA record at the subdomain level.

How to Fix or Improve Your CAA Record

Fixing a CAA issue is usually a quick DNS update. If you manage your domain’s DNS yourself, you can do it in a few minutes. If your domain is managed by an IT team, a hosting provider, or a marketing agency, forward them this information to get it sorted.

Once your CAA record is set, TechSpy’s free scan can verify it’s working properly and that no other security gaps exist.

<!-- self-check: layer1_readable=true | fix_doable=true | no_padding=true | jargon_expanded=true -->

1Identify which certificate authority (or authorities) you currently use. Check with your IT person, your hosting provider, or look at the details of your existing SSL certificate (click the padlock in your browser, view certificate). Common CA domains: Let’s Encrypt uses , DigiCert uses , Google Trust Services uses , Amazon uses .
2Log into your DNS control panel (GoDaddy, Cloudflare, Namecheap, AWS Route 53, or wherever you manage DNS records). Navigate to the DNS records section.
3Add a new record of type . For the hostname, use (which represents your main domain) or leave it blank, depending on your provider. Set the flag to , the tag to , and the value to the CA’s domain in double quotes. Example: .
4If you use wildcard certificates, also add a record with the same CA domain but the tag . Example: .
5If you use multiple certificate authorities, repeat the process for each one. You can have as many CAA records as needed.
6Save the changes. Wait a few minutes for DNS propagation, then run another TechSpy scan to confirm the CAA record is in place and correct. If issues persist, double-check the CA domain spelling and that you haven’t left out a needed CA.
7If someone else manages your DNS, forward this article to them along with the name of your preferred certificate authority.

See how your domain's configuration stacks up.

Get a free scan — no sign-up, no credit card.

Scan Your Domain Free →