SSL & HTTPS Guides

What Are CAA Records and Why You Might Need Them

Learn what CAA records are, how they control which certificate authorities can issue SSL certificates, and how to avoid blocking certificate renewals.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 7 min read Beginner

Introduction

CAA records, or Certification Authority Authorization records, let a domain owner specify which certificate authorities are allowed to issue SSL/TLS certificates for a domain.

CAA records are optional for many websites, but they can add useful control. They help reduce the risk of unauthorized certificate issuance and can make certificate management clearer for businesses, SaaS platforms and domains with stricter security requirements. However, an incorrect CAA record can also block certificate issuance or renewal.

Quick answer

Quick answer

A CAA record tells certificate authorities which CAs are allowed to issue SSL/TLS certificates for your domain. If no CAA record exists, most trusted CAs may issue certificates after normal validation. If a CAA record exists, CAs must follow it. A wrong CAA record can prevent certificate renewal.

CAA records

CAA stands for Certification Authority Authorization. It is a DNS record that tells certificate authorities whether they are allowed to issue SSL/TLS certificates for a domain.

Example
example.com. 300 IN CAA 0 issue "letsencrypt.org"

This means Let’s Encrypt is allowed to issue certificates for example.com.

CAA records do not install SSL certificates. They only control which certificate authorities may issue them.

How CAA works

  1. A certificate authority receives a certificate request.
  2. The CA checks DNS for CAA records on the domain.
  3. If no CAA record exists, the CA can continue normal validation.
  4. If CAA records exist, the CA checks whether it is authorized.
  5. If the CA is not authorized, it should not issue the certificate.
  6. If authorized, issuance can continue after normal domain validation.

CAA does not replace domain validation. The CA still needs to verify control of the domain.

Common CAA tags

issue

Allows a certificate authority to issue normal certificates. Example: 0 issue "letsencrypt.org"

issuewild

Allows a certificate authority to issue wildcard certificates. Example: 0 issuewild "letsencrypt.org"

iodef

Provides a contact address for CAA violation reports. Example: 0 iodef "mailto:security@example.com"

The issue and issuewild tags are the most important for most website owners.

CAA examples

Allow Let’s Encrypt
example.com. 300 IN CAA 0 issue "letsencrypt.org"
Allow DigiCert
example.com. 300 IN CAA 0 issue "digicert.com"
Allow wildcard certificates from Let’s Encrypt
example.com. 300 IN CAA 0 issuewild "letsencrypt.org"
Add report email
example.com. 300 IN CAA 0 iodef "mailto:security@example.com"
Allow multiple CAs
example.com. 300 IN CAA 0 issue "letsencrypt.org"
example.com. 300 IN CAA 0 issue "digicert.com"
Check commands
dig example.com CAA
dig +short example.com CAA
dig app.example.com CAA

These examples are illustrative. Use the CA domain required by your certificate provider and replace example.com with your real domain.

Do you need CAA?

Not every website must publish CAA records. Many small websites work fine without them.

You may want CAA records if:

  • You want to restrict certificate issuance to specific CAs
  • You manage many domains
  • Your organization has security or compliance requirements
  • You use one preferred certificate provider
  • You want clearer certificate governance
  • You issue wildcard certificates
  • You want to reduce unauthorized certificate issuance risk

You may not need CAA records immediately if:

  • You use simple hosting SSL
  • You rely on automatic Let’s Encrypt certificates
  • You do not know which CA your provider uses
  • You may change SSL providers soon

If you are unsure, avoid adding restrictive CAA records until you confirm your SSL provider’s requirements.

Why this matters

Why this matters

CAA matters because it controls who may issue certificates for your domain. This can improve security and governance, but it can also break SSL issuance if configured incorrectly. For example, if your domain only allows one CA but your hosting provider uses another, automatic certificate renewal may fail.

CAA is especially important to review before certificate migrations, CDN changes, wildcard certificate issuance or hosting provider changes.

How to check CAA

Use CAA Record Checker to see whether your domain publishes CAA records and which certificate authorities are allowed.

When checking CAA, review

These six checks help confirm CAA is configured safely.

Existing records

Confirm whether the domain has CAA records.

Allowed CAs

Check which certificate authorities are listed in issue and issuewild.

Wildcard permission

Check whether wildcard issuance is allowed if you need wildcard certificates.

SSL provider match

Confirm your current certificate provider is allowed.

Parent domain inheritance

Check whether CAA records on the parent domain affect subdomains.

Renewal risk

Confirm automatic certificate renewal will not be blocked.

Check CAA records now

Use CAA Record Checker to verify which certificate authorities may issue SSL certificates.

Run CAA Check →

Common problems

CA not authorized

High

The domain has CAA records, but the certificate authority trying to issue the certificate is not listed.

Next step: Add the correct CA to the CAA records or use an allowed certificate provider.

Wildcard issuance blocked

Medium

The domain allows normal certificates but does not allow wildcard certificates through issuewild.

Next step: Add the correct issuewild record if wildcard certificates are required.

Old CA still listed

Low

CAA records allow an old certificate provider that is no longer used.

Next step: Remove outdated CAA entries after confirming they are not needed.

Hosting provider uses a different CA

High

Automatic SSL renewal fails because the hosting provider uses a CA not allowed by CAA.

Next step: Ask the provider which CA domain should be allowed.

CAA added at wrong DNS provider

Medium

CAA was added in a DNS zone that is not authoritative.

Next step: Check active nameservers and add records at the live DNS provider.

Parent domain CAA affects subdomain

Medium

A subdomain may inherit CAA restrictions from the parent domain.

Next step: Check CAA records at both parent and subdomain levels.

Record syntax is invalid

Medium

CAA values are malformed, so they may not be interpreted correctly.

Next step: Use the exact syntax required by your DNS provider and certificate authority.

How to configure CAA

  1. Step 1: Identify your certificate authority

    Confirm whether your SSL certificate is issued by Let’s Encrypt, DigiCert, Sectigo, GlobalSign, Google Trust Services, Amazon Trust Services or another CA.

  2. Step 2: Check active DNS provider

    Confirm which DNS zone is live by checking nameservers.

  3. Step 3: Review existing CAA records

    Check whether current records already restrict certificate issuance.

  4. Step 4: Add only required CAs

    Allow the CAs you actually use for SSL issuance and renewal.

  5. Step 5: Add issuewild only if needed

    Only allow wildcard certificate issuance if your domain uses wildcard certificates.

  6. Step 6: Test certificate issuance

    After updating CAA, verify that your hosting panel, CDN or certificate provider can issue or renew SSL.

  7. Step 7: Re-check after provider changes

    Review CAA whenever changing hosting, CDN or SSL providers.

CAA and subdomains

CAA can affect subdomains depending on where records are published and how the CA checks them.

Example
Parent domain:
example.com

Subdomain:
app.example.com

If app.example.com has no CAA record, the CA may check the parent domain’s CAA policy.

If subdomains use different certificate providers, review CAA carefully before adding restrictive rules at the parent domain.

Automatic SSL renewal

Automatic SSL systems, such as hosting panel SSL, CDN SSL or Let’s Encrypt automation, can fail if CAA does not allow the CA being used.

Before adding CAA records, check:

  • Which CA your hosting provider uses
  • Whether your CDN issues its own certificates
  • Whether wildcard certificates are needed
  • Whether staging and production use different providers
  • Whether subdomains use separate SSL services

CAA should make certificate issuance safer, not accidentally block renewals.

Frequently asked questions

What does a CAA record do?

A CAA record tells certificate authorities which CAs are allowed to issue SSL/TLS certificates for a domain.

Do I need a CAA record?

Not always. CAA is optional for many sites, but useful when you want stricter control over certificate issuance.

Can a wrong CAA record break SSL renewal?

Yes. If your current certificate authority is not allowed, issuance or renewal may fail.

What is the difference between issue and issuewild?

issue allows normal certificates. issuewild controls wildcard certificate issuance.

Does CAA install an SSL certificate?

No. CAA only controls which CAs may issue certificates. It does not install or renew certificates by itself.

Can I allow more than one certificate authority?

Yes. You can publish multiple CAA records for multiple allowed CAs.

Do CAA records affect subdomains?

They can. Subdomains may inherit parent-domain CAA policy if they do not publish their own CAA records.

Use these free tools to verify your configuration after applying changes.

Browse all SSL & HTTPS guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.