CAA Record Checker
See which certificate authorities are authorised to issue TLS certificates for your domain, or confirm nobody is restricted, meaning any CA can issue.
About this check
How CAA works
Before issuing a cert, a well-behaved CA looks up your domain’s CAA record. If it finds a CAA record that does not include them, they refuse to issue. All major public CAs honour CAA, it is an industry requirement.
Typical setup
0 issue "letsencrypt.org" + 0 issue "digicert.com" + 0 iodef "mailto:security@yourdomain.com", allows Let’s Encrypt and DigiCert only, plus an alert address for violation reports.
FAQ
Operator questions, answered.
What is a CAA record?+
CAA (Certification Authority Authorization) is a DNS record that tells certificate authorities which of them are permitted to issue TLS certificates for your domain. If no CAA record is published, any CA can issue a cert.
Why add CAA records?+
CAA prevents a compromised or misbehaving CA from issuing a rogue cert for your domain. It is a layer of defence that takes one DNS record to deploy.
Do I need CAA if I only use Let’s Encrypt?+
Recommended. Publishing v=issue letsencrypt.org blocks any other CA from issuing a cert for your domain, even accidentally.
CAA Record Checker is one of 18 plus checks.
A free Cora scan covers TLS, DMARC, SPF, DNS, headers, WHOIS, and breach exposure in a single 90 second submission.