Free CAA Record Checker

Enter any domain below to check its CAA (Certificate Authority Authorization) records. See which CAs are authorised to issue SSL/TLS certificates, whether wildcard issuance is restricted, and if violation reporting is configured.

New to CAA records? Read our CAA Records Explained guide for a full explanation.

What Are CAA Records?

CAA (Certificate Authority Authorization) is a DNS record type (RFC 8659) that lets domain owners specify which Certificate Authorities are permitted to issue certificates for their domain. Before issuing a certificate, compliant CAs must check for CAA records and refuse issuance if they are not listed.

Why Should You Publish CAA Records?

Prevent Unauthorised Certificates: Without CAA, any of the hundreds of publicly trusted CAs can issue a certificate for your domain. CAA restricts this to only the CAs you use.
Reduce Attack Surface: If an attacker compromises a CA you do not use, CAA prevents them from issuing certificates for your domain through that CA.
Compliance: Many security frameworks and audits now recommend or require CAA records as part of certificate lifecycle management.
Violation Reporting: The iodef tag lets you receive notifications when a CA denies issuance based on your CAA policy.

CAA Record Tags

issue: Specifies CAs authorised to issue standard certificates (e.g. 0 issue "letsencrypt.org")
issuewild: Specifies CAs authorised to issue wildcard certificates. If absent, the issue tag applies to wildcards too.
iodef: A URL (mailto: or https:) where the CA should report policy violations.

Need Automated Monitoring?

This free tool is great for one-off checks. If you need continuous monitoring of CAA, DNSSEC, SSL, DMARC, and more across all your domains, join the early access list for up to 90 days free.

Want the full picture?

Our Security Grade checks CAA alongside DMARC, SPF, DNSSEC, MTA-STS, SSL, and domain registration in one scan.

Frequently Asked Questions

Do I need CAA records if I use Let's Encrypt?

Yes. Without CAA records, any Certificate Authority can issue certificates for your domain. Even if you only use Let's Encrypt, publishing a CAA record with 0 issue "letsencrypt.org" prevents other CAs from issuing certificates you did not request.

What happens if I do not have a CAA record?

If no CAA record exists, any publicly trusted Certificate Authority is permitted to issue certificates for your domain. This is the default behaviour per RFC 8659. While not an immediate vulnerability, it increases your attack surface.

Can CAA records break my website?

CAA records only affect certificate issuance, not existing certificates. If you accidentally exclude your CA from the CAA record, your next certificate renewal will fail, but your current certificate will continue to work until it expires.

Does CAA affect my Security Grade?

Yes. CAA is a check in the Security Grade framework. Publishing CAA records is one of the requirements for reaching a strong Security Grade.