DNS & Domain Guides

CAA Records: Controlling Which CAs Can Issue SSL Certificates

Learn what CAA records are, how they control which certificate authorities can issue SSL certificates, and how to avoid common CAA configuration problems.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 8 min read Beginner

Introduction

CAA records are DNS records that tell certificate authorities which companies are allowed to issue SSL certificates for your domain. They are used to reduce the risk of unauthorized certificate issuance and to make certificate issuance rules clearer.

Most domains can work without CAA records, but if CAA records are present, certificate authorities must respect them. A wrong or outdated CAA record can prevent SSL certificates from being issued or renewed, especially after switching SSL providers, hosting platforms or CDN services.

Quick answer

Quick answer

A CAA record, or Certification Authority Authorization record, controls which certificate authorities are allowed to issue SSL certificates for a domain. If no CAA record exists, most certificate authorities can issue certificates after normal domain validation. If CAA records exist, only the listed authorities are allowed.

What is a CAA record?

A CAA record is a DNS record that defines which certificate authorities are authorized to issue SSL certificates for a domain.

Example
example.com CAA 0 issue "letsencrypt.org"

In this example, Let’s Encrypt is allowed to issue standard SSL certificates for example.com.

CAA records do not install SSL certificates. They only control which certificate authorities are allowed to issue them.

Is a CAA record required?

No, a CAA record is not required for every domain. If a domain has no CAA record, certificate authorities can usually issue SSL certificates after completing normal domain validation.

However, CAA records can be useful when you want to:

  • restrict certificate issuance to specific certificate authorities
  • reduce accidental issuance by unexpected providers
  • support stricter SSL management policies
  • receive reports about attempted certificate issuance
  • control wildcard certificate issuance separately

For small websites, missing CAA is usually not a critical issue. Incorrect CAA records are often more risky than no CAA record.

How CAA records work

Before issuing an SSL certificate, a certificate authority checks whether the domain has CAA records. If CAA records exist, the authority checks whether it is listed as allowed.

  1. A certificate request is made for a domain.
  2. The certificate authority checks DNS for CAA records.
  3. If no CAA record exists, issuance can continue after normal validation.
  4. If CAA records exist, the authority must be listed as allowed.
  5. If the authority is not allowed, certificate issuance should be refused.

CAA records can apply to the root domain and may also affect subdomains depending on DNS structure and inheritance.

Common CAA tags

issue

Allows a certificate authority to issue standard certificates for the domain.

example.com CAA 0 issue "letsencrypt.org"

issuewild

Allows a certificate authority to issue wildcard certificates.

example.com CAA 0 issuewild "letsencrypt.org"

iodef

Provides a reporting address for certificate authority incident or policy reports.

example.com CAA 0 iodef "mailto:security@example.com"

The issue and issuewild tags are the most important for most domain owners.

CAA and wildcard certificates

Wildcard certificates cover subdomains such as *.example.com. CAA can control wildcard certificate issuance separately with the issuewild tag.

Example
example.com CAA 0 issue "letsencrypt.org"
example.com CAA 0 issuewild "letsencrypt.org"

If issue allows a certificate authority but issuewild does not, wildcard certificate issuance may still be blocked.

Check issuewild carefully if you use wildcard SSL certificates through a hosting provider, CDN or certificate automation system.

CAA inheritance and subdomains

CAA records can be inherited from parent domains when a subdomain does not have its own CAA record.

Example: If example.com has CAA records and app.example.com has no CAA record, certificate authorities may use the parent domain’s CAA policy when checking app.example.com.

If a subdomain uses a different SSL provider, check whether parent-domain CAA rules allow that provider.

Why this matters

Why this matters

CAA records matter because they can either improve certificate issuance control or accidentally block SSL certificate issuance. If the allowed certificate authority does not match the provider trying to issue your certificate, SSL installation or renewal can fail.

A missing CAA record is usually not an emergency. A wrong CAA record can be a real SSL problem.

How to check CAA records

Use the CAA Record Checker to see whether a domain publishes CAA records and which certificate authorities are allowed.

When checking CAA records, compare

These five areas help you spot mismatches between DNS policy and your SSL provider.

Domain or subdomain

The hostname where the certificate is being issued.

Current CAA records

The CAA policies currently returned by public DNS.

Certificate authority

The CA that your hosting provider, CDN or SSL tool is trying to use.

Wildcard requirement

Whether the certificate is standard or wildcard.

Active nameserver

The DNS provider currently controlling the live DNS zone.

If SSL issuance fails, check CAA records before assuming the SSL provider or hosting panel is broken.

Check CAA records now

Use CAA Record Checker to confirm which certificate authorities can issue SSL certificates for your domain.

Run CAA Check →

Common CAA problems

CAA record allows the wrong certificate authority

High

The domain only allows one certificate authority, but your SSL provider is trying to issue through another CA.

Next step: Add the correct CA value or update the SSL provider configuration.

SSL renewal fails after provider change

High

The old CAA record still allows the previous CA, but the new hosting or CDN provider uses a different CA.

Next step: Update CAA records before requesting or renewing the certificate.

Wildcard certificate blocked

Medium

The issue tag may allow standard certificates, but issuewild may be missing or restrictive.

Next step: Add or adjust issuewild for the CA issuing the wildcard certificate.

CAA record added at the wrong DNS provider

Medium

The record was added in a DNS zone that is not authoritative for the domain.

Next step: Check active nameservers and edit the live DNS zone.

Subdomain inherits restrictive parent CAA

Medium

A subdomain may inherit the parent domain’s CAA policy and block issuance by another provider.

Next step: Check CAA records on both the subdomain and parent domain.

CAA syntax is invalid

Medium

The tag, flag or value may be formatted incorrectly.

Next step: Compare the record with provider documentation and validate with a CAA checker.

No CAA record found

Low

The domain does not publish CAA records.

Next step: This is not always a problem. Add CAA only if you want to restrict certificate issuance.

Old CAA records remain after migration

Medium

CAA records from an old SSL provider may still be active after DNS, hosting or CDN migration.

Next step: Review and remove outdated CA values.

How to configure or fix CAA records

  1. Identify your SSL certificate authority

    Find out which certificate authority your hosting provider, CDN or SSL tool uses. Examples may include Let’s Encrypt, DigiCert, Sectigo or Google Trust Services.

  2. Check current CAA records

    Use CAA Record Checker to see whether your domain already restricts certificate issuance.

  3. Confirm where DNS is hosted

    Check active nameservers and edit CAA records only at the provider controlling the live DNS zone.

  4. Add or update the issue tag

    Allow the certificate authority that should issue standard certificates.

    Type: CAA
    Flag: 0
    Tag: issue
    Value: letsencrypt.org
  5. Add issuewild if you use wildcard certificates

    If you need wildcard SSL certificates, make sure issuewild allows the correct certificate authority.

    Type: CAA
    Flag: 0
    Tag: issuewild
    Value: letsencrypt.org
  6. Remove outdated CA values

    If you changed SSL providers, remove old CAA records that no longer match your current certificate authority.

  7. Re-run SSL issuance

    After DNS updates are visible, retry certificate issuance or renewal in your hosting, CDN or SSL platform.

CAA record examples

Allow Let’s Encrypt for standard certificates
example.com.  3600  IN  CAA  0 issue "letsencrypt.org"
Allow Let’s Encrypt for wildcard certificates
example.com.  3600  IN  CAA  0 issuewild "letsencrypt.org"
Add incident reporting
example.com.  3600  IN  CAA  0 iodef "mailto:security@example.com"
Check commands
dig example.com CAA
dig www.example.com CAA
dig +short example.com CAA

These are examples only. Use the certificate authority value required by your SSL, hosting or CDN provider.

CAA records and hosting/CDN providers

Many hosting and CDN providers issue SSL certificates automatically. If your domain has restrictive CAA records, the provider’s automatic SSL process may fail unless its certificate authority is allowed.

Before enabling automatic SSL, check:

  • which CA the provider uses
  • whether the domain has existing CAA records
  • whether wildcard certificates are required
  • whether CAA records exist on parent domains
  • whether DNS changes were made at the active provider

If your provider changes certificate authorities, CAA records may need to be updated.

CAA missing vs CAA misconfigured

A missing CAA record usually means certificate authorities can issue certificates after normal validation. This is common and not always a problem.

A misconfigured CAA record is different. It can block the certificate authority you actually use and cause SSL issuance or renewal to fail.

No CAA record

  • Usually acceptable for many domains
  • Does not restrict certificate authorities
  • SSL issuance can proceed after normal validation

No CAA → CA issues after domain validation

Misconfigured CAA

  • May block the correct CA
  • Can break automatic SSL renewal
  • Requires DNS correction before issuance

CAA allows digicert.com → Let’s Encrypt blocked

CAA and SSL troubleshooting checklist

If SSL issuance fails, check:

  • Does the domain have CAA records?
  • Is the issuing certificate authority allowed?
  • Is the certificate standard or wildcard?
  • Is issuewild required?
  • Are you checking the root domain or subdomain?
  • Are parent-domain CAA records inherited?
  • Were DNS changes made at the active nameserver provider?
  • Has DNS cache updated?
  • Does the SSL provider show a specific CAA error?

Frequently asked questions

Is a CAA record required?

No. Many domains do not have CAA records. CAA is optional, but if it exists, certificate authorities must respect it.

Can a wrong CAA record break SSL issuance?

Yes. If the CAA record does not allow the certificate authority your provider uses, certificate issuance or renewal can fail.

What does issue mean in a CAA record?

The issue tag allows a certificate authority to issue standard certificates for the domain.

What does issuewild mean?

The issuewild tag controls which certificate authorities may issue wildcard certificates.

What does iodef mean?

The iodef tag provides a reporting address for certificate authority incident or policy reports.

Should I add CAA if my SSL works?

Not always. CAA can be useful for stricter control, but incorrect CAA records can cause renewal problems. Add it only when you understand which CA your provider uses.

Does CAA install SSL certificates?

No. CAA only controls which certificate authorities are allowed to issue certificates. SSL still needs to be issued and installed by your hosting, CDN or certificate system.

Can CAA affect subdomains?

Yes. If a subdomain does not have its own CAA record, parent-domain CAA records may apply.

Use these free tools to verify your configuration after applying changes.

Browse all DNS & Domain guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.