← Back to blog

What is a CAA record and why does your domain need one?

A CAA record controls which certificate authorities are allowed to issue SSL certificates for your domain — without one, anyone can request a certificate for your domain name.

Here's a scenario that plays out often enough to be a pattern, not a one-off: a business has a valid SSL certificate on their website, their connection is encrypted, their padlock is green. What they haven't considered is whether anything stops a different Certificate Authority from issuing a second, equally valid certificate for their domain to someone else. Without a CAA record in their DNS, nothing does. A Certificate Authority operating in good faith, or one with less rigorous validation processes, could issue a certificate for a domain they don't own, enabling a convincing impersonation that browsers would treat as legitimate.

CAA records are a lesser-known DNS security control that close this specific gap. They're not the most urgent item on a small business security list, but they're quick to add and directly relevant to protecting the integrity of your SSL certificates.

What a CAA record actually does

A Certification Authority Authorisation record, published in your domain's DNS, specifies which Certificate Authorities are permitted to issue SSL certificates for your domain. Any CA that receives a certificate request for your domain is required to check whether a CAA record exists. If one does, they must only issue a certificate if they're listed in it. If they're not listed, they should refuse the request.

Without a CAA record, any CA can issue a certificate for your domain. With one, only the CAs you've explicitly authorised can do so. The protection is against both rogue issuance by less rigorous CAs and against mis-issuance where a legitimate CA makes an error in their validation process.

Why this matters in practice

Certificate mis-issuance has happened with real consequences. CA/Browser Forum rules now require CAs to check CAA records before issuing any certificate, so the enforcement is baked into the process rather than optional. But the check only works if the record is there to be checked. A domain without a CAA record provides no constraint.

For a small business, the practical risk is low compared to a high-profile domain that might be actively targeted. The reason to add a CAA record anyway is that it costs nothing, takes five minutes, and removes an entire category of risk from the picture rather than leaving it open as a theoretical possibility.

What a CAA record looks like

A CAA record has three components: a flag, a tag, and a value. For most purposes, the relevant tag is issue, which specifies which CA can issue standard certificates for the domain. A typical record looks like this:

yourdomain.com. CAA 0 issue "letsencrypt.org"

This record states that Let's Encrypt is permitted to issue certificates for yourdomain.com, and by implication, no other CA is. If you use multiple CAs for different certificates, for example Let's Encrypt for your main site and a different provider for a specific subdomain certificate, you'd include a record for each.

The issuewild tag applies specifically to wildcard certificates and can be set separately if you want to restrict wildcard issuance to a different or more limited set of CAs than standard certificates.

How to add one

Adding a CAA record is done through your domain's DNS settings, the same place you'd add an MX record or a DMARC TXT record. You need to know which Certificate Authority issued your current SSL certificate, which is shown in the certificate details accessible by clicking the padlock in your browser. Once you know the CA, you add the corresponding CAA record through your DNS provider's interface.

Olimpio checks for the presence of a CAA record as part of its domain scan, flagging its absence as a configuration gap in your external attack surface.

Frequently asked questions

Does not having a CAA record mean my SSL certificate is invalid? No. A missing CAA record doesn't affect the validity of your existing certificate. It only removes the restriction on what other certificates could be issued for your domain in future.

If I switch certificate provider, do I need to update my CAA record? Yes. If you move from one CA to another, your CAA record needs updating to reflect the new provider, otherwise the new CA will be blocked from issuing your replacement certificate.

Can I add multiple CAs to a single CAA record? You add one record per permitted CA rather than listing multiple in a single record; DNS supports multiple CAA records on the same domain, one for each CA you want to authorise.

Does a CAA record protect against all SSL certificate fraud? It protects against mis-issuance by CAs that comply with the CA/Browser Forum rules, which covers all major trusted CAs. It doesn't protect against a CA that ignores the rules entirely, though such behaviour would result in that CA being removed from browser trust stores.

Is this relevant for a business that doesn't manage their own DNS? If your hosting provider or web agency manages your DNS, they can add this record on your behalf. It's worth asking them to check whether a CAA record is in place if you're not sure.

Run a free scan of your domain to check for a CAA record alongside the rest of your DNS and external security configuration: olimpio.io/free-scan

Want to see what attackers see?

Scan your domain for free — no setup, no technical knowledge needed, results in ~20 minutes. No card required.

Get your free scan →