CAA Record Checker
See which certificate authorities are authorised to issue TLS certificates for your domain — or confirm nobody is restricted, meaning any CA can issue.
How CAA works
Before issuing a cert, a well-behaved CA looks up your domain’s CAA record. If it finds a CAA record that does not include them, they refuse to issue. All major public CAs honour CAA — it is an industry requirement.
Typical setup
0 issue "letsencrypt.org" + 0 issue "digicert.com" + 0 iodef "mailto:security@yourdomain.com" — allows Let’s Encrypt and DigiCert only, plus an alert address for violation reports.
FAQ
Frequently asked questions
What is a CAA record?+
CAA (Certification Authority Authorization) is a DNS record that tells certificate authorities which of them are permitted to issue TLS certificates for your domain. If no CAA record is published, any CA can issue a cert.
Why add CAA records?+
CAA prevents a compromised or misbehaving CA from issuing a rogue cert for your domain. It is a layer of defence that takes one DNS record to deploy.
Do I need CAA if I only use Let’s Encrypt?+
Recommended. Publishing v=issue letsencrypt.org blocks any other CA from issuing a cert for your domain — even accidentally.
CAA Record Checker is just the start.
CQwerty Shield checks SSL, DMARC, SPF, DNS, HTTP headers, WHOIS, breach intel, and more — with CVE/KEV cross-references on every finding.
Free full scan — no signup →