CAA Record Checker

login

This tool is planned for a future release. Authentication and target-ownership verification will be required before it can be enabled.

This tool isn't available in the anonymous view. Sign in to access it.

Monitor this automatically

NetTests can run this check on a schedule, preserve historical results, compare changes over time, and alert you the moment something breaks.

Start monitoring free → See all monitoring products

Frequently Asked Questions

What is a CAA DNS record?

CAA (Certification Authority Authorization) records specify which CAs are permitted to issue TLS certificates for a domain. Example: 0 issue "letsencrypt.org" restricts issuance to Let's Encrypt. All compliant CAs must check CAA records before issuing — violating them is a CA/Browser Forum Baseline Requirements violation. View certificates already issued at Domain Certificate Audit.

What are the CAA tag types?

issue — authorises a CA to issue non-wildcard certificates. issuewild — authorises a CA specifically for wildcard certificates (if absent, issue applies). iodef — a URL or email where the CA should report policy violations. Multiple records can exist for multiple authorised CAs.

Will a missing CAA record block certificate issuance?

No — a missing CAA record means any CA is permitted to issue. CAA records restrict issuance when present; their absence is permissive. Adding CAA records is a proactive security measure to reduce the risk of unauthorized certificate issuance for your domains.