CAA Record Generator

Build valid CAA (Certificate Authority Authorization) records for your domain. Select which CAs are allowed to issue certificates, configure wildcard policy, and set up violation reporting.

What Are CAA Records?

CAA (Certificate Authority Authorization) is a DNS record type defined in RFC 8659. It lets domain owners declare which Certificate Authorities are permitted to issue SSL/TLS certificates for their domain. Before issuing a certificate, compliant CAs must check your CAA records and refuse issuance if they are not listed.

Why You Should Publish CAA Records

Prevent unauthorised certificates: Without CAA, any of the hundreds of publicly trusted CAs can issue a certificate for your domain. CAA restricts this to only the CAs you actually use.
Reduce attack surface: If an attacker compromises a CA you do not use, CAA prevents them from issuing certificates for your domain through that CA.
Meet compliance requirements: Many security frameworks (ISO 27001, SOC 2, Cyber Essentials Plus) recommend or require CAA as part of certificate lifecycle management.
Get notified of violations: The iodef tag lets you receive email notifications when a CA denies issuance based on your policy.

CAA Record Format

Each CAA record has three parts:

Flags (0):Almost always 0. A value of 128 sets the "critical" flag, meaning CAs must refuse issuance if they do not understand the tag.
Tag: One of issue, issuewild, or iodef.
Value: The CA domain name (for issue/issuewild) or a reporting URL (for iodef).

How to Add CAA Records

Use the generator above to build your records.
Log in to your DNS provider (Cloudflare, Route 53, GoDaddy, etc.).
For each generated line, create a new CAA record at the root of your domain (or on the specific subdomain you want to protect).
Use our CAA Checker to verify the records are published correctly.

Frequently Asked Questions

Will adding CAA records break my existing certificates?

No. CAA records only affect future certificate issuance. Your current certificates will continue to work until they expire. Just make sure your current CA is included in your CAA records before your next renewal date.

What if I use Cloudflare or another CDN that issues certificates?

CDNs like Cloudflare issue certificates on your behalf using CAs like DigiCert, Google Trust Services, or Let's Encrypt. Check your CDN's documentation to see which CAs they use and make sure to include them in your CAA records. Cloudflare, for example, uses DigiCert, Google Trust Services, and Let's Encrypt.

What happens if my CA is not in the CAA record?

The CA must refuse to issue the certificate. This means your next certificate renewal will fail. You will need to either add the CA to your CAA record or switch to a CA that is already listed. Your existing certificate continues to work in the meantime.

Do I need separate issuewild records?

Only if you want to restrict wildcard certificates differently from standard certificates. If you omit issuewild, the CAs listed in your issue records are also permitted to issue wildcards. If you want to block all wildcard issuance, add 0 issuewild ";".

What email should I use for iodef reporting?

We recommend using the same mailbox you use for DMARC aggregate reports (RUA), since both deal with domain abuse. This keeps all your domain security reporting in one place. If you do not have a dedicated address, something like [email protected] works well.

Does CAA affect my Security Grade?

Yes. CAA is a check in the Security Grade framework. Publishing CAA records is one of the requirements for reaching a strong Security Grade.

Do subdomains inherit CAA records?

Yes. If a subdomain does not have its own CAA record, CAs walk up the domain tree until they find one. A CAA record on example.com applies to all subdomains unless they publish their own CAA records.

Want the full picture?

Our Security Grade checks CAA alongside DMARC, SPF, DNSSEC, MTA-STS, SSL, and domain registration in one scan.