CAA record

Per RFC 8659

Which CAs may issue certificates for your domain; with IODEF report mail on violation.

What is this, and when do I need it?

What is this?

CAA (Certification Authority Authorization, RFC 8659) is a DNS record specifying which certification authorities may issue TLS certificates for your domain. A reputable CA checks the CAA record before every issuance; if it does not match, the CA refuses.

This prevents a foreign CA from accidentally or via social engineering issuing a valid certificate for your domain - which would otherwise enable phishing or man-in-the-middle attacks.

When do I need it?

Mandatory for every domain with its own website, mail or APIs. Cost: one-time DNS entry, then passive protection. If you use Let's Encrypt, issue "letsencrypt.org" is enough.

Bonus: an iodef: entry with your security mail address ensures rejected CAs notify you about the attempt - early warning signal for possible domain abuse.

Allowed CAs (issue / issuewild separate, with optional account pinning)
DNS CAA records (DNS RR type 257) per RFC 8659
example.com.	CAA	0 issue "letsencrypt.org"
example.com.	CAA	0 issuewild ";"
example.com.	CAA	0 iodef "mailto:security@example.com"

Kostenlos, ohne Gewähr (Best-Effort). Erzeugte wie geprüfte Angaben sind unverbindlich; für fehlerhafte oder unvollständige Ergebnisse und Konfigurationen übernehmen wir keine Haftung. Anwendung und Prüfung erfolgen in eigener Verantwortung, vor dem Produktiveinsatz bitte testen.

Free, no warranty (best effort). Generated and inspected values are non-binding; we accept no liability for erroneous or incomplete results or configurations. Use and verification are your own responsibility; please test before production use.

CAA records are published by the DNS server for the domain. CAs check the CAA entry before cert issuance and follow the override semantics per RFC 8659 § 3: they walk up from the FQDN and take the first node with CAA records. A subdomain with its own CAA entries fully overrides the apex policy; there is no additive inheritance.

issue allows standard certificates. issuewild is separate and only applies to wildcard certificates. To rule out wildcards entirely, set only issuewild ";"; to restrict wildcards to a narrower CA selection, list the allowed CAs here explicitly.

accounturi (RFC 8657) binds cert issuance to a specific ACME account URI: even if an attacker wins DNS-01 or HTTP-01 validation, without control over the named account they cannot issue certificates. validationmethods additionally restricts the allowed ACME challenges (typically dns-01 for domains with DNSSEC).

At the DNS provider you typically pick record type "CAA" or "TYPE257" in the UI; the zonefile syntax shown here is BIND-style.

Inspect existing CAA records

Reads the domain's CAA records and checks completeness (issue/issuewild/iodef).

Try with:

Server path: this inspection does NOT run browser-local. We fetch the DNS record or HTTPS response via our server. We do not log the queried domain or the result. 12 requests per minute per IPv4 address or IPv6 /64 subnet.

How to add this record at your DNS provider

The record generated above has three parts: the record type (typically TXT, occasionally CAA), the host (a subdomain like _dmarc, _smtp._tls or empty for the root domain) and the value (the actual payload in quotes). Every DNS provider asks for these same three fields - only the menu wording differs.

INWX (Dernium default for new customers)
  1. Sign in at www.inwx.de.
  2. Tab Nameserver → pick the domain → Nameserver-Sets verwaltenDNS-Einträge.
  3. Button Neuen Eintrag anlegen.
  4. Pick a type (e.g. TXT), enter the host (empty for the root domain, otherwise e.g. _dmarc), paste the value, leave TTL at 3600.
  5. Save. Propagation typically within 5-15 minutes.
Strato
  1. Sign in to the Strato customer area.
  2. Menu Domains → pick the domain → Verwalten.
  3. Section DNS-VerwaltungNameserver/DNS-Einstellungen anpassen.
  4. Under Eigene DNS-Verwaltung pick the right record type (TXT records have their own block), enter host and value.
  5. Save. Strato typically propagates within 30-60 minutes.
Hetzner DNS Console
  1. Sign in at dns.hetzner.com.
  2. Click on the zone of your domain.
  3. Button Add record → pick a type, enter the name (use @ for the root domain), paste the value.
  4. Save. Propagation typically under 5 minutes.
IONOS (1&1)
  1. Sign in to the IONOS customer center.
  2. Menu Domains & SSL → click the domain → DNS.
  3. Button Eintrag hinzufügen → pick a type, enter the host, paste the value into the content field.
  4. Save. Propagation typically 15-60 minutes.
Cloudflare
  1. Sign in to Cloudflare, pick the domain.
  2. Tab DNSRecords.
  3. Button Add record → pick a type, enter the name (use @ for the root domain), paste the value, leave proxy status on DNS only for TXT/CAA records.
  4. Save. Propagation typically under 2 minutes.

Note: If your DNS provider is not listed, you usually find the right place under headings like "DNS management", "Zone editor", or "Records". When in doubt, your provider's support helps; the paths shown here are vendor-specific and can shift slightly with redesigns.