CAA Record Lookup
Check CAA records (certificate authority authorization) for any domain across 12 global resolvers. Free DNS checker.
What is a CAA record?
A CAA record ("certification authority authorization") tells certificate authorities (CAs) which of them are allowed to issue TLS certificates for a domain. Compliant CAs check CAA before issuance and refuse if they're not authorized. CAA is a defense against unauthorized certificate issuance.
When to check CAA records
- You're moving from one TLS provider to another (e.g., from Let's Encrypt to a paid CA) and want to confirm the new CA is allowed
- A certificate request is being rejected and you suspect CAA is the cause
- You're auditing a domain's certificate-issuance posture
Reading the results
Each CAA value has three parts: flag (an integer, usually 0), tag (one of issue, issuewild, iodef), and value (the CA domain or report URI). Example: 0 issue "letsencrypt.org" authorizes only Let's Encrypt for non-wildcard certs.
Common errors and pitfalls
- Cert renewal fails after adding CAA: your existing CA isn't in the CAA allowlist. Either add it or remove the CAA before renewal.
- Wildcard cert issuance fails but non-wildcard works: you have an
issueCAA but notissuewild. Wildcards require explicit authorization via theissuewildtag. - CAA only at the apex: CAA inheritance follows the domain hierarchy: a CAA at
example.comapplies towww.example.com,api.example.com, etc., unless overridden at a subdomain. - Critical flag (128) used by mistake: a flag value of 128 marks the record as "critical." CAs that don't understand the property must refuse issuance. Almost always overkill; flag=0 is what you want.
FAQ
What does a CAA record look like?
CAA records have a flag (usually 0), a tag (issue, issuewild, or iodef), and a value. Example: 0 issue "letsencrypt.org" means only Let's Encrypt may issue certs for the domain.
Do I need a CAA record?
No: but you should consider one. Without CAA, any CA in any browser's trust store can issue a cert for your domain (assuming they validate ownership). CAA is a cheap, declarative restriction.
How do I allow multiple CAs?
Publish multiple CAA records, one per CA: 0 issue "letsencrypt.org" and 0 issue "digicert.com" together allow both.
What's the iodef tag for?
iodef tells CAs where to send "incident" reports if they reject a request that conflicts with your CAA. Example: 0 iodef "mailto:security@example.com".
Background reading
See the DNS Records Explained guide for the security record family.