DNS tools

CAA record checker

Prevent unauthorized SSL/TLS certificate issuance and secure your domain with a fast, accurate CAA lookup.

See which Certificate Authorities are allowed to issue SSL/TLS certificates for your domain, and prevent unauthorized issuance.

How to use the CAA checker

Enter your domain

Type example.com and run the check, subdomains work too.

We walk the tree

Per RFC 8659, if no CAA record exists on the domain itself, CAs check each parent domain. We do the same and show where the effective record lives.

Review allowed issuers

The issuers chips show exactly which Certificate Authorities may issue certificates for your domain.

Act on warnings

Missing iodef reporting, wildcard-only policies, and other gaps are flagged with plain-English guidance.

How a CAA record is structured

A CAA record has three parts, flag, tag, and value.

Flag (0 or 128)

A number that defines whether the policy is critical. 128 means CAs must understand every tag or refuse issuance; 0 is the common default.

issue / issuewild

issue authorizes a CA to issue certificates for the domain; issuewild controls wildcard certificates separately. Example value: letsencrypt.org.

iodef

A reporting URL or mailto: address where CAs send notifications about unauthorized issuance requests. Recommended but often missing.

Why use a CAA checker?

Prevent unauthorized certificates

Without CAA, any CA in the world can issue a certificate for your domain. CAA restricts issuance to the CAs you actually use.

Real-time validation

Instantly confirm your CAA policy is published correctly and see exactly what CAs see when they check your domain before issuance.

Troubleshoot failed issuance

Certificate request failing? A forgotten or inherited CAA record blocking your new CA is one of the most common causes.

Identify misconfigurations

Catch stale CA entries, missing iodef reporting, and parent-domain records silently applying to your subdomains.

Frequently asked questions

Any publicly trusted Certificate Authority may issue certificates for your domain. That is not an immediate vulnerability, but publishing CAA meaningfully reduces the risk of mis-issuance and is required by some compliance frameworks.

Yes, publish one CAA record per CA (e.g. one for letsencrypt.org and one for pki.goog). A CA may issue if any issue record names it.

When issuing for sub.example.com, the CA checks sub.example.com first, then example.com, and so on up the tree. The first CAA record set found wins, so a parent record applies to all subdomains that don't publish their own.

CAs will refuse to issue certificates, and renewals will silently fail. If a certificate request is rejected, check that your CAA records include the CA you are using.

After any DNS migration, when switching certificate providers, and periodically as part of security review, stale CAA entries are easy to forget.

Try more email authentication tools

Strengthen your domain security with our free lookup tools.

Run this check once, or have it watched 24/7.

SenderSignal monitors these signals continuously: 48 blacklists, SPF, DKIM, DMARC, TLS and more, with alerts in Slack, email and signed webhooks.

Start monitoring free All free tools