DNS
CAA records: the DNS entry that decides who can issue your TLS certificates.
Published 2026-06-15 · Last updated 2026-06-15 · Vantyris editorial
A CAA (Certification Authority Authorization) record is a DNS entry that lists which Certificate Authorities are allowed to issue TLS certificates for your domain. Without it, any of the dozens of public CAs can issue a cert for your domain on request (with some validation). With it, you've pinned issuance to your chosen provider, and an attacker who tricks one of the other CAs into mis-issuing a cert for your domain is blocked at the DNS level.
What this means for your business
- CAs are required to check the CAA record before issuing a certificate. If the record says 'only Let's Encrypt', a request to DigiCert for your domain is refused.
- This protects you against accidental and malicious mis-issuance. There have been multiple historical cases of CAs being tricked into issuing certs for domains they shouldn't have. CAA is the DNS-level fix.
- A CAA record is a one-time setup. You add it once, and it just sits there protecting your domain.
How to fix
Add a CAA TXT record at your domain's apex listing the CA you actually use, plus an iodef contact for breach notifications.
- Identify which CA issues your current certificate. Open your site in a browser, click the padlock → View certificate. The 'Issuer' field shows your CA. Most likely: Let's Encrypt, ZeroSSL, Sectigo, DigiCert, GeoTrust.
- Add the CAA record at your DNS provider. Most modern DNS panels have a `CAA` record type. Host: `@` (your apex). Tag: `issue`. Value: your CA's domain. Example for Let's Encrypt: `0 issue "letsencrypt.org"`. For ZeroSSL: `0 issue "sectigo.com"` (ZeroSSL is issued by Sectigo).
- Add an iodef record for breach reports. Add a second CAA record: `0 iodef "mailto:security@yourdomain.com"`. Now any CA that gets a request for your domain it shouldn't honour reports the attempt to you.
- (Optional) Add wildcard issuance separately. If you use wildcard certs (`*.yourdomain.com`), add a third record: `0 issuewild "letsencrypt.org"`. Otherwise CAs may refuse wildcard issuance.
Owner: Your DNS administrator. · Time: 15 minutes.
Common gotchas
- Don't lock in a CA you might switch away from. If you set CAA to only Let's Encrypt and later move to Cloudflare-managed certs (issued by Sectigo), your renewal will fail until you update the record.
- The flag value `0` means 'non-critical'. Most modern CAs honour CAA even without it set to critical. Don't set `128` (critical) unless you know what you're doing.
- Some older DNS panels don't support CAA record types. If yours doesn't, you can usually publish it as a TXT record with a specific format, or move DNS hosting to Cloudflare (free tier).
How to verify the fix
Run a Vantyris scan, which surfaces CAA records and flags absence. Or use mxtoolbox.com/caa.aspx.
Cyber Essentials alignment
This finding informs the following UK NCSC Cyber Essentials control areas:
- A2. Secure configuration — devices and services hardened against the inherent default vulnerabilities.
Vantyris is not a CE certifying body. The mapping above is informational.
Common follow-up questions
Will a CAA record stop my Let's Encrypt renewal?
Only if your CAA doesn't include Let's Encrypt. As long as your record allows your actual issuer, renewals work normally.
What if I use multiple CAs?
Add multiple CAA records, one per allowed CA. Each is a separate record with the same `issue` tag.
Do I need a CAA record per subdomain?
No. CAA inherits down the DNS tree. Set it at the apex and it covers all subdomains unless a subdomain has its own CAA record that overrides.
References
- RFC 8659 — DNS CAA IETF RFC
- Let's Encrypt: CAA explainer Vendor
Related explainers
- HTTPS for small business: how to enable it in 15 minutes.
- Your TLS certificate has expired. Here's how to restore the site fast.
Want Vantyris to scan your domain for this and 80 other findings?
Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.
Vantyris editorial team · methodology v1.0.0