Glossary · Security

CAA record

A DNS record that restricts which Certificate Authorities can issue SSL certificates for your domain.

Diagram explaining CAA record

CAA (Certification Authority Authorization) records are an anti-mis-issuance defense. Without them, any of the ~50 trusted Certificate Authorities can issue an SSL certificate for your domain — even ones you've never heard of. CAA records say "only these CAs may issue for me."

yourdomain.com.   CAA   0 issue "letsencrypt.org"
yourdomain.com.   CAA   0 issue "sectigo.com"
yourdomain.com.   CAA   0 iodef "mailto:security@yourdomain.com"

Translation:

  • Only Let's Encrypt and Sectigo can issue SSL certificates for this domain.
  • If anyone tries to issue from a different CA, email security@yourdomain.com (that's the iodef directive).

CAA enforcement is performed by the CAs themselves — before issuing, they MUST check CAA records and refuse if they're not authorized. This is a CA/Browser Forum baseline requirement since 2017, so it works reliably.

When to add CAA: any production domain handling money, accounts, or sensitive data. The setup is once-and-done and it eliminates an entire category of attacks (rogue CAs, compromised CAs, social-engineered cert issuance).

What if you don't add CAA? Any trusted CA can issue. You're relying on each CA's own validation process to refuse impostors. Modern CAs are pretty good at this, but it's defense-in-depth to add CAA anyway.

Now the jargon makes sense — let us handle the rest.

You learned what it means; we'll set it up. Register your domain, get email that lands in the inbox, and never decode a renewal bill again — flat pricing, free privacy, real human support.

No upsells at checkout · Free WHOIS privacy · Same price every year · Transfer out free, anytime

Find your domain See flat pricing