Glossary Guides

What Is a CAA Record

Learn what CAA records are, how they control SSL certificate issuance, issue vs issuewild, and common CAA mistakes.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 5 min read Beginner

Introduction

CAA stands for Certificate Authority Authorization. It is a DNS security control that limits which CAs can create certificates for your domain.

CAA is optional but useful when you want to restrict issuance. Outdated CAA records are a common reason Let's Encrypt or CDN SSL renewal fails.

Quick answer

Quick answer

A CAA record specifies which certificate authorities (CAs) may issue SSL/TLS certificates for your domain. If CAA exists and does not authorize your CA, certificate issuance or renewal fails. No CAA record means any trusted public CA may issue.

What it means

CAA records use tags like issue, issuewild and iodef. Before issuing a certificate, public CAs check CAA and deny requests from unauthorized issuers.

  • issue — allows standard hostname certificates for a CA
  • issuewild — allows wildcard certificates for a CA
  • iodef — optional reporting address for unauthorized attempts
  • No CAA — any trusted public CA may issue
  • CAA can be inherited from parent zones in some cases

Where you see this:

  • Restricting SSL issuance to Let's Encrypt, DigiCert, Sectigo or CDN CAs
  • Wildcard certificate requests that need issuewild
  • Security teams limiting which CAs the organization uses
  • Troubleshooting failed certificate renewal
Example
example.com.  3600  IN  CAA  0 issue "letsencrypt.org"
example.com.  3600  IN  CAA  0 issuewild "letsencrypt.org"

Why this matters

Why this matters

Wrong CAA blocks HTTPS certificate renewal, which can take a live site offline when certificates expire. Missing issuewild blocks wildcard certificates even when issue is present.

How to check it

  1. Run CAA Record Checker on the domain needing a certificate.
  2. List all issue and issuewild records returned.
  3. Compare with the CA your hosting, Certbot or CDN uses.
  4. Check parent domain CAA if subdomain issuance fails.
  5. Retry issuance only after TTL propagation.

Check CAA records

Use CAA Record Checker to see which certificate authorities are authorized for your domain.

Run CAA Check →

Common mistakes

CAA blocks current SSL issuer

High

DNS authorizes a different CA than the one you use.

Next step: Add the correct issue record or remove obsolete CAA entries.

Missing issuewild for wildcard cert

High

Wildcard request fails although standard issue exists.

Next step: Add issuewild for the same CA.

Old CA remains after switching provider

High

Previous vendor CAA still restricts issuance.

Next step: Remove outdated issue entries and authorize the new CA.

CAA added at wrong hostname

Medium

Records on www do not affect root domain issuance.

Next step: Publish CAA on the exact hostname the CA validates.

Example

CAA examples
; Allow Let's Encrypt
example.com CAA 0 issue "letsencrypt.org"

; Allow wildcard from Let's Encrypt
example.com CAA 0 issuewild "letsencrypt.org"

Frequently asked questions

Do I need CAA records?

No. They are optional. Without CAA, any publicly trusted CA may issue certificates for your domain.

Can CAA block Let's Encrypt?

Yes, if CAA exists but does not include letsencrypt.org in an issue tag.

What is the difference between issue and issuewild?

issue controls normal certificates. issuewild controls wildcard certificates like *.example.com.

Does CAA encrypt DNS?

No. CAA only restricts certificate issuance. DNSSEC is a separate DNS security feature.

Use these free tools to verify your configuration after applying changes.

Browse all Glossary guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.