Skip to main content
Vantyris

DNS

CAA records: the DNS entry that decides who can issue your TLS certificates.

Published 2026-06-15 · Last updated 2026-06-15 · Vantyris editorial

A CAA (Certification Authority Authorization) record is a DNS entry that lists which Certificate Authorities are allowed to issue TLS certificates for your domain. Without it, any of the dozens of public CAs can issue a cert for your domain on request (with some validation). With it, you've pinned issuance to your chosen provider, and an attacker who tricks one of the other CAs into mis-issuing a cert for your domain is blocked at the DNS level.

What this means for your business

How to fix

Add a CAA TXT record at your domain's apex listing the CA you actually use, plus an iodef contact for breach notifications.

  1. Identify which CA issues your current certificate. Open your site in a browser, click the padlock → View certificate. The 'Issuer' field shows your CA. Most likely: Let's Encrypt, ZeroSSL, Sectigo, DigiCert, GeoTrust.
  2. Add the CAA record at your DNS provider. Most modern DNS panels have a `CAA` record type. Host: `@` (your apex). Tag: `issue`. Value: your CA's domain. Example for Let's Encrypt: `0 issue "letsencrypt.org"`. For ZeroSSL: `0 issue "sectigo.com"` (ZeroSSL is issued by Sectigo).
  3. Add an iodef record for breach reports. Add a second CAA record: `0 iodef "mailto:security@yourdomain.com"`. Now any CA that gets a request for your domain it shouldn't honour reports the attempt to you.
  4. (Optional) Add wildcard issuance separately. If you use wildcard certs (`*.yourdomain.com`), add a third record: `0 issuewild "letsencrypt.org"`. Otherwise CAs may refuse wildcard issuance.

Owner: Your DNS administrator. · Time: 15 minutes.

Common gotchas

How to verify the fix

Run a Vantyris scan, which surfaces CAA records and flags absence. Or use mxtoolbox.com/caa.aspx.

Cyber Essentials alignment

This finding informs the following UK NCSC Cyber Essentials control areas:

Vantyris is not a CE certifying body. The mapping above is informational.

Common follow-up questions

Will a CAA record stop my Let's Encrypt renewal?

Only if your CAA doesn't include Let's Encrypt. As long as your record allows your actual issuer, renewals work normally.

What if I use multiple CAs?

Add multiple CAA records, one per allowed CA. Each is a separate record with the same `issue` tag.

Do I need a CAA record per subdomain?

No. CAA inherits down the DNS tree. Set it at the apex and it covers all subdomains unless a subdomain has its own CAA record that overrides.

References

Related explainers

Want Vantyris to scan your domain for this and 80 other findings?

Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.

Editorial

Vantyris editorial team · methodology v1.0.0