Prevent unauthorized SSL/TLS certificate issuance and secure your domain with a fast, accurate CAA lookup.
Type example.com and run the check, subdomains work too.
Per RFC 8659, if no CAA record exists on the domain itself, CAs check each parent domain. We do the same and show where the effective record lives.
The issuers chips show exactly which Certificate Authorities may issue certificates for your domain.
Missing iodef reporting, wildcard-only policies, and other gaps are flagged with plain-English guidance.
A CAA record has three parts, flag, tag, and value.
A number that defines whether the policy is critical. 128 means CAs must understand every tag or refuse issuance; 0 is the common default.
issue authorizes a CA to issue certificates for the domain; issuewild controls wildcard certificates separately. Example value: letsencrypt.org.
A reporting URL or mailto: address where CAs send notifications about unauthorized issuance requests. Recommended but often missing.
Without CAA, any CA in the world can issue a certificate for your domain. CAA restricts issuance to the CAs you actually use.
Instantly confirm your CAA policy is published correctly and see exactly what CAs see when they check your domain before issuance.
Certificate request failing? A forgotten or inherited CAA record blocking your new CA is one of the most common causes.
Catch stale CA entries, missing iodef reporting, and parent-domain records silently applying to your subdomains.
Any publicly trusted Certificate Authority may issue certificates for your domain. That is not an immediate vulnerability, but publishing CAA meaningfully reduces the risk of mis-issuance and is required by some compliance frameworks.
Yes, publish one CAA record per CA (e.g. one for letsencrypt.org and one for pki.goog). A CA may issue if any issue record names it.
When issuing for sub.example.com, the CA checks sub.example.com first, then example.com, and so on up the tree. The first CAA record set found wins, so a parent record applies to all subdomains that don't publish their own.
CAs will refuse to issue certificates, and renewals will silently fail. If a certificate request is rejected, check that your CAA records include the CA you are using.
After any DNS migration, when switching certificate providers, and periodically as part of security review, stale CAA entries are easy to forget.
Strengthen your domain security with our free lookup tools.
SenderSignal monitors these signals continuously: 48 blacklists, SPF, DKIM, DMARC, TLS and more, with alerts in Slack, email and signed webhooks.