Skip to main content

CAA Record Checker

Check which certificate authorities are authorised to issue SSL certificates for a domain.

About the CAA Record Checker

CAA records let a domain owner specify exactly which certificate authorities are permitted to issue SSL certificates for their domain, adding a layer of control that sits above the certificate issuance process itself. Without a CAA record, any trusted CA in the world can technically issue a certificate for your domain, which has historically been a vector for misissuance. This tool checks whether a domain has CAA records in place and which authorities are currently authorised.

How it works

DNSbyte queries the domain's CAA records directly and parses each entry. A CAA record has three parts: a flag, a tag, and a value. The tag determines what the record controls - issue authorises a CA to issue standard certificates, issuewild specifically covers wildcard certificates, and iodef provides a URL or email address for CAs to report policy violations to. The value is the CA's domain name, such as letsencrypt.org or digicert.com. A domain with no CAA records has no restrictions in place, meaning any CA can issue for it.

Frequently asked questions

Does not having a CAA record mean my domain is at risk?

Not immediately, but it does mean any certificate authority could issue a certificate for your domain without restriction. CAA records are a defence in depth measure that reduces the chance of a CA mistakenly or maliciously issuing a certificate for a domain you control.

How do I add a CAA record?

CAA records are added through whichever provider manages your domain's DNS, the same place you manage A, MX, and TXT records. The format varies slightly by provider but the three fields, flag, tag, and value, are always the same. Most providers have documentation specific to their interface for adding CAA records.

Can I authorise more than one certificate authority?

Yes, you can have multiple CAA records, one per authorised CA. If you use both Let's Encrypt and another CA for different certificates, simply add a separate issue record for each one.

What happens if a CA tries to issue a certificate for my domain and is not in my CAA records?

The CA is required by industry rules to check CAA records before issuing and refuse if it is not listed. This is enforced as part of the CA/Browser Forum baseline requirements that all publicly trusted CAs must follow.

Do CAA records affect certificates that have already been issued?

No, CAA records only affect future issuance. An existing valid certificate remains valid even if the CA that issued it is later removed from your CAA records, until that certificate naturally expires.

Related tools

SSL Certificate Inspect the SSL certificate chain, expiry and subject alternative names. DNSSEC Checker Verify DNSSEC signing and chain of trust for a domain. HTTP Headers Check which security response headers a server is returning. Blacklist Check Test whether an IP or domain appears on common email blacklists. DNS over HTTPS Query DNS records over HTTPS using the Google public DoH resolver. Reachability Test whether a domain or IP is reachable and measure its response time.