What Are CAA Records and Why You Might Need Them
Learn what CAA records are, how they control which certificate authorities can issue SSL certificates, and how to avoid blocking certificate renewals.
Introduction
CAA records, or Certification Authority Authorization records, let a domain owner specify which certificate authorities are allowed to issue SSL/TLS certificates for a domain.
CAA records are optional for many websites, but they can add useful control. They help reduce the risk of unauthorized certificate issuance and can make certificate management clearer for businesses, SaaS platforms and domains with stricter security requirements. However, an incorrect CAA record can also block certificate issuance or renewal.
Quick answer
A CAA record tells certificate authorities which CAs are allowed to issue SSL/TLS certificates for your domain. If no CAA record exists, most trusted CAs may issue certificates after normal validation. If a CAA record exists, CAs must follow it. A wrong CAA record can prevent certificate renewal.
CAA records
CAA stands for Certification Authority Authorization. It is a DNS record that tells certificate authorities whether they are allowed to issue SSL/TLS certificates for a domain.
example.com. 300 IN CAA 0 issue "letsencrypt.org"
This means Let’s Encrypt is allowed to issue certificates for example.com.
CAA records do not install SSL certificates. They only control which certificate authorities may issue them.
How CAA works
- A certificate authority receives a certificate request.
- The CA checks DNS for CAA records on the domain.
- If no CAA record exists, the CA can continue normal validation.
- If CAA records exist, the CA checks whether it is authorized.
- If the CA is not authorized, it should not issue the certificate.
- If authorized, issuance can continue after normal domain validation.
CAA does not replace domain validation. The CA still needs to verify control of the domain.
CAA examples
example.com. 300 IN CAA 0 issue "letsencrypt.org"
example.com. 300 IN CAA 0 issue "digicert.com"
example.com. 300 IN CAA 0 issuewild "letsencrypt.org"
example.com. 300 IN CAA 0 iodef "mailto:security@example.com"
example.com. 300 IN CAA 0 issue "letsencrypt.org"
example.com. 300 IN CAA 0 issue "digicert.com"
dig example.com CAA
dig +short example.com CAA
dig app.example.com CAA
These examples are illustrative. Use the CA domain required by your certificate provider and replace example.com with your real domain.
Do you need CAA?
Not every website must publish CAA records. Many small websites work fine without them.
You may want CAA records if:
- You want to restrict certificate issuance to specific CAs
- You manage many domains
- Your organization has security or compliance requirements
- You use one preferred certificate provider
- You want clearer certificate governance
- You issue wildcard certificates
- You want to reduce unauthorized certificate issuance risk
You may not need CAA records immediately if:
- You use simple hosting SSL
- You rely on automatic Let’s Encrypt certificates
- You do not know which CA your provider uses
- You may change SSL providers soon
If you are unsure, avoid adding restrictive CAA records until you confirm your SSL provider’s requirements.
Why this matters
CAA matters because it controls who may issue certificates for your domain. This can improve security and governance, but it can also break SSL issuance if configured incorrectly. For example, if your domain only allows one CA but your hosting provider uses another, automatic certificate renewal may fail.
CAA is especially important to review before certificate migrations, CDN changes, wildcard certificate issuance or hosting provider changes.
How to check CAA
Use CAA Record Checker to see whether your domain publishes CAA records and which certificate authorities are allowed.
When checking CAA, review
These six checks help confirm CAA is configured safely.
Existing records
Confirm whether the domain has CAA records.
Allowed CAs
Check which certificate authorities are listed in issue and issuewild.
Wildcard permission
Check whether wildcard issuance is allowed if you need wildcard certificates.
SSL provider match
Confirm your current certificate provider is allowed.
Parent domain inheritance
Check whether CAA records on the parent domain affect subdomains.
Renewal risk
Confirm automatic certificate renewal will not be blocked.
Check CAA records now
Use CAA Record Checker to verify which certificate authorities may issue SSL certificates.
Common problems
CA not authorized
HighThe domain has CAA records, but the certificate authority trying to issue the certificate is not listed.
Next step: Add the correct CA to the CAA records or use an allowed certificate provider.
Wildcard issuance blocked
MediumThe domain allows normal certificates but does not allow wildcard certificates through issuewild.
Next step: Add the correct issuewild record if wildcard certificates are required.
Old CA still listed
LowCAA records allow an old certificate provider that is no longer used.
Next step: Remove outdated CAA entries after confirming they are not needed.
Hosting provider uses a different CA
HighAutomatic SSL renewal fails because the hosting provider uses a CA not allowed by CAA.
Next step: Ask the provider which CA domain should be allowed.
CAA added at wrong DNS provider
MediumCAA was added in a DNS zone that is not authoritative.
Next step: Check active nameservers and add records at the live DNS provider.
Parent domain CAA affects subdomain
MediumA subdomain may inherit CAA restrictions from the parent domain.
Next step: Check CAA records at both parent and subdomain levels.
Record syntax is invalid
MediumCAA values are malformed, so they may not be interpreted correctly.
Next step: Use the exact syntax required by your DNS provider and certificate authority.
How to configure CAA
-
Step 1: Identify your certificate authority
Confirm whether your SSL certificate is issued by Let’s Encrypt, DigiCert, Sectigo, GlobalSign, Google Trust Services, Amazon Trust Services or another CA.
-
Step 2: Check active DNS provider
Confirm which DNS zone is live by checking nameservers.
-
Step 3: Review existing CAA records
Check whether current records already restrict certificate issuance.
-
Step 4: Add only required CAs
Allow the CAs you actually use for SSL issuance and renewal.
-
Step 5: Add issuewild only if needed
Only allow wildcard certificate issuance if your domain uses wildcard certificates.
-
Step 6: Test certificate issuance
After updating CAA, verify that your hosting panel, CDN or certificate provider can issue or renew SSL.
-
Step 7: Re-check after provider changes
Review CAA whenever changing hosting, CDN or SSL providers.
CAA and subdomains
CAA can affect subdomains depending on where records are published and how the CA checks them.
Parent domain:
example.com
Subdomain:
app.example.com
If app.example.com has no CAA record, the CA may check the parent domain’s CAA policy.
If subdomains use different certificate providers, review CAA carefully before adding restrictive rules at the parent domain.
Automatic SSL renewal
Automatic SSL systems, such as hosting panel SSL, CDN SSL or Let’s Encrypt automation, can fail if CAA does not allow the CA being used.
Before adding CAA records, check:
- Which CA your hosting provider uses
- Whether your CDN issues its own certificates
- Whether wildcard certificates are needed
- Whether staging and production use different providers
- Whether subdomains use separate SSL services
CAA should make certificate issuance safer, not accidentally block renewals.
Frequently asked questions
What does a CAA record do?
A CAA record tells certificate authorities which CAs are allowed to issue SSL/TLS certificates for a domain.
Do I need a CAA record?
Not always. CAA is optional for many sites, but useful when you want stricter control over certificate issuance.
Can a wrong CAA record break SSL renewal?
Yes. If your current certificate authority is not allowed, issuance or renewal may fail.
What is the difference between issue and issuewild?
issue allows normal certificates. issuewild controls wildcard certificate issuance.
Does CAA install an SSL certificate?
No. CAA only controls which CAs may issue certificates. It does not install or renew certificates by itself.
Can I allow more than one certificate authority?
Yes. You can publish multiple CAA records for multiple allowed CAs.
Do CAA records affect subdomains?
They can. Subdomains may inherit parent-domain CAA policy if they do not publish their own CAA records.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all SSL & HTTPS guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!