100% Free • No Signup • Live DNS

CAA Record Checker

Check which certificate authorities are allowed to issue SSL certificates for your domain.

CAA records • SSL issuance • Certificate authority • issue tags • DNS lookup • No signup

What this checker validates

One check reviews CAA records, allowed certificate authorities and SSL issuance policy.

CAA record presence

Check whether the domain publishes CAA records.

Allowed certificate authorities

Review which CAs are allowed to issue certificates for the domain.

Wildcard certificate policy

Check issuewild rules for wildcard certificate issuance.

Incident reporting

Find iodef reporting addresses for certificate issuance issues.

DNS inheritance

Review whether CAA policy may be inherited from parent domains.

SSL issuance control

Understand how CAA records help control certificate issuance.

Common CAA issues this tool can detect

Find certificate issuance policy signals that may affect SSL management.

No CAA

No CAA records

  • No CAA policy published
  • Public CAs may issue after validation
  • Recommended for stricter control
Wildcard

Wildcard policy missing

  • No issuewild tag found
  • Wildcard issuance follows normal issue policy
  • Add issuewild if wildcard control is needed
Reporting

Reporting not configured

  • No iodef contact found
  • CA incident reports may not be sent
  • Optional but useful for monitoring
Review

Configuration review

  • Unknown CA value
  • Duplicate or conflicting tags
  • Invalid CAA tag format

Missing CAA records are common and not a certificate failure. Missing iodef or issuewild tags are informational — they do not mean your SSL certificate is invalid.

How CAA checking works

The checker reads DNS CAA records and explains SSL certificate issuance policy.

  1. Enter a domain

    We clean the input, remove protocol or path, and validate the domain format.

  2. Query CAA records

    The tool checks CAA records in DNS for your domain and parent policy where available.

  3. Review issuance policy

    See allowed certificate authorities, wildcard rules, reporting contacts and recommended improvements.

Understanding CAA tags

issue

Allows a certificate authority to issue standard SSL certificates for the domain.

issuewild

Controls which certificate authorities may issue wildcard certificates.

iodef

Defines where certificate authorities can send reports about issuance problems.

flags

CAA flags can mark parts of the record as critical for certificate authorities.

CAA records control certificate issuance policy. They do not prove the currently installed SSL certificate is valid.

Checking CAA records…

Need help fixing CAA or certificate issuance?

Send us your domain report and we’ll review the issue.

Frequently asked questions

Common questions about CAA records and certificate issuance policy.

A CAA record is a DNS record that tells certificate authorities which CAs are allowed to issue SSL certificates for a domain.
No. Many domains do not publish CAA records. However, CAA records can improve control over certificate issuance.
If no CAA record exists, public certificate authorities may issue certificates after completing normal domain validation.
The issue tag allows a specific certificate authority to issue standard certificates for the domain.
The issuewild tag controls which certificate authorities may issue wildcard certificates.
No. The CAA Record Checker is free and does not require signup.