A CAA record states which certificate authorities may issue certificates for your domain. CAs must honor it before issuing.
Certification Authority Authorization records let you whitelist the CAs allowed to issue TLS/SSL certificates for your domain. A record such as 0 issue "letsencrypt.org" tells every compliant certificate authority that only Let's Encrypt may issue for that name, which sharply limits the damage an attacker could do by tricking a different CA into mis-issuing a certificate. You can also use the issuewild tag for wildcard certificates and iodef to receive reports of blocked issuance attempts.
CAs are required to check CAA records at issuance time, so a mistake here can block a legitimate certificate renewal and take a site offline when the old certificate expires. That makes it important to confirm your CAA records are correct and fully propagated before relying on automated renewal. This checker reads the CAA records for your domain from multiple locations so you can verify the allowed authorities match your intent and are identical worldwide. If some resolvers still show an old or empty policy, wait for propagation before troubleshooting a failed issuance.
Frequently asked questions
- Do I need a CAA record?
- It is optional but recommended. It restricts which CAs can issue certificates for your domain, improving security.
- Can a wrong CAA record break certificate renewal?
- Yes. If your CA is not listed, compliant authorities will refuse to issue, so keep it accurate.