CAA Record Lookup - Check Certificate Authority Authorization
No logs stored • Server-side processing
View which Certificate Authorities can issue SSL/TLS certificates for any domain. Check issue, issuewild, and iodef CAA records with DNSSEC status.
Free Online CAA Record Checker
Enter a domain above to get started
We'll show you A, AAAA, MX, CNAME, TXT, NS, SOA, and CAA records
Check Which CAs Can Issue SSL Certificates for Your Domain
A CAA (Certificate Authority Authorization) record is a DNS record that specifies which Certificate Authorities are permitted to issue SSL/TLS certificates for your domain. Since September 2017, all publicly trusted CAs must check for CAA records before issuing certificates. If a CAA record exists and the CA isn't listed, the certificate request is denied.
What You'll Discover
Can Find
- Authorized Certificate Authorities (issue tag)
- Wildcard certificate policies (issuewild tag)
- Violation reporting endpoints (iodef tag)
- CAA record flags (0 = non-critical, 128 = critical)
- TTL values and DNSSEC status
Cannot Find
- Actual SSL certificate details (use SSL checker)
- Certificate expiry dates
- CAA records inherited from parent domains (query parent separately)
How to Check CAA Records
Find out which Certificate Authorities can issue SSL certificates for any domain in seconds.
Enter Domain Name
Type the domain you want to check (e.g., <code>google.com</code>). CAA records are typically set on the root domain. Our tool automatically cleans up http:// or https:// prefixes.
Click 'Lookup'
Press the 'Lookup' button. Our tool queries DNS servers to retrieve all CAA records and DNSSEC status for your domain.
View Authorized CAs
The CAA tab shows all authorized Certificate Authorities. The 'issue' tag shows CAs that can issue any certificate, while 'issuewild' shows CAs authorized for wildcard certificates only.
Check Security Status
Review the DNSSEC indicator to verify CAA records are cryptographically protected. Also check for 'iodef' records that specify where to report unauthorized issuance attempts.
Understanding Your CAA Lookup Results
Each CAA record contains three components: flags, tag type, and value.
Flags
Control how CAs handle unknown tags. 0 = non-critical (CA can ignore unknown tags), 128 = critical (CA must understand all tags or refuse to issue). Most CAA records use flags = 0.
0
Tag (issue)
Authorizes a Certificate Authority to issue any type of certificate (regular and wildcard) for this domain. Multiple 'issue' records mean multiple CAs are authorized.
letsencrypt.org
Tag (issuewild)
Authorizes a CA to issue only wildcard certificates (*.example.com). If not set, 'issue' permissions apply to wildcards too. Set to ';' to block all wildcard certificates.
digicert.com
Tag (iodef)
Specifies a URL or email address where CAs should report unauthorized issuance attempts. Uses mailto: or https: URI format.
mailto:security@example.com
TTL (Time To Live)
How long DNS resolvers should cache this CAA record before requesting a new one. Lower values allow faster policy updates.
24h
DNSSEC Status
Indicates whether DNSSEC is enabled for this domain. DNSSEC cryptographically signs DNS records, making CAA records tamper-proof and authoritative.
Enabled
Why Choose Our CAA Lookup Tool
A clean, powerful CAA record checker with full DNS access and security verification.
Complete CAA Analysis
View all CAA tag types: issue (regular certificates), issuewild (wildcard only), and iodef (violation reporting). See flags and TTL for each record.
DNSSEC Status Display
Verify DNSSEC is enabled alongside CAA records. DNSSEC makes CAA authoritative and prevents DNS spoofing attacks.
All 8 DNS Record Types
Switch tabs to view A, AAAA, MX, CNAME, TXT, NS, SOA records without leaving the page. Complete DNS visibility in one tool.
Human-Readable TTL
TTL values displayed in easy-to-understand format (24h, 5m) instead of raw seconds.
One-Click Copy
Copy any CAA record value instantly with a single click. Perfect for documentation or configuration.
Multiple Export Formats
Export CAA lookup results in JSON, CSV, or plain text for audits, reports, or configuration management.
When You Need CAA Lookup
Essential scenarios where checking Certificate Authority Authorization records matters.
Prevent Certificate Misissuance
Verify that only your trusted CAs are authorized to issue certificates. CAA records block unauthorized CAs from issuing certificates for your domain.
Security Compliance Audits
Meet PCI DSS, SOC 2, and other compliance requirements that recommend or require CAA records. Document your certificate authorization policies.
Certificate Issuance Troubleshooting
When SSL certificate requests fail, check if CAA records are blocking the CA. Missing or incorrect CAA records are a common cause of issuance failures.
Domain Security Audit
Review your domain's certificate security posture. Check if CAA is properly configured and DNSSEC is enabled for complete protection.
How Certificate Authority Authorization Works
CAA records provide DNS-based control over which Certificate Authorities can issue SSL/TLS certificates for your domain.
What is Certificate Authority Authorization?
CAA (Certificate Authority Authorization) is a DNS record type (TYPE 257) standardized in RFC 6844 and updated in RFC 8659. It allows domain owners to specify which Certificate Authorities are authorized to issue SSL/TLS certificates for their domain. Before the CA/Browser Forum Ballot 187 (September 2017), any CA could issue a certificate for any domain. Now, all publicly trusted CAs must check CAA records before issuance and refuse if they're not authorized.
CAA Tag Types Explained
CAA records support three tag types: <strong>issue</strong> authorizes a CA to issue any certificate type (regular and wildcard); <strong>issuewild</strong> authorizes a CA to issue only wildcard certificates (*.example.com); <strong>iodef</strong> specifies a mailto: or https: URL for reporting unauthorized issuance attempts. If no 'issuewild' tag exists, the 'issue' tag controls wildcard issuance. Setting a tag value to ';' (semicolon) blocks all CAs for that type.
Common Certificate Authorities
When configuring CAA records, use the CA's official domain: Let's Encrypt uses <code>letsencrypt.org</code>, DigiCert uses <code>digicert.com</code>, Sectigo (formerly Comodo) uses <code>sectigo.com</code>, Amazon ACM uses <code>amazon.com</code> or <code>amazontrust.com</code>, Cloudflare uses <code>cloudflare.com</code>, and Google Trust Services uses <code>pki.goog</code>. You can authorize multiple CAs by creating multiple 'issue' records.
Why DNSSEC Matters for CAA
CAA records are only truly secure when DNSSEC is enabled. Without DNSSEC, an attacker could potentially spoof DNS responses and bypass CAA restrictions. DNSSEC cryptographically signs DNS records, making them tamper-proof. This is why we display DNSSEC status alongside CAA lookup results—both are needed for complete certificate security.
CAA Inheritance and Subdomain Behavior
CAA lookup follows the DNS hierarchy upward. If <code>blog.example.com</code> has no CAA records, CAs check <code>example.com</code>. This continues until CAA records are found or the TLD is reached. If no CAA records exist anywhere, any CA can issue certificates. This inheritance means you typically only need to set CAA records on your root domain to protect all subdomains.
CAA Record Lookup Specifications
- Record Type
- CAA (TYPE 257)
- RFC Standards
- RFC 6844, RFC 8659
- Policy Tags
- issue, issuewild, iodef
- Flags Values
- 0 (non-critical), 128 (critical)
- Query Method
- DNS resolver (recursive)
- Record Types Available
- 8 (A, AAAA, MX, CNAME, TXT, NS, SOA, CAA)
- Default Tab
- CAA
- Response Time
- < 500ms typical
- Cache Duration
- 5 minutes
- Export Formats
- JSON, CSV, Plain Text
- API Access
- Free, no key required
Frequently Asked Questions
What is a CAA record?
CAA (Certificate Authority Authorization) is a DNS record that specifies which Certificate Authorities (CAs) are allowed to issue SSL/TLS certificates for your domain. Since September 2017, all publicly trusted CAs must check for CAA records before issuing certificates. If a CAA record exists and the CA isn't listed, the certificate request is denied.
What do the CAA tags mean (issue, issuewild, iodef)?
There are three CAA tag types: 'issue' authorizes a CA to issue any certificate (regular and wildcard); 'issuewild' authorizes a CA to issue only wildcard certificates (*.example.com); 'iodef' specifies a URL or email for reporting unauthorized issuance attempts. You can have multiple records of each type.
Are CAA records required?
CAA records are not required for domain owners, but they're highly recommended for security. CAs are required to check for CAA records before issuing certificates (since September 2017 per CA/Browser Forum Ballot 187). If no CAA records exist, any CA can issue certificates for your domain.
What happens if my domain has no CAA records?
If no CAA records exist at any level of your domain hierarchy, any Certificate Authority can issue certificates for your domain. This is less secure because there's no restriction on which CAs can issue. Adding CAA records is a security best practice to prevent unauthorized certificate issuance.
What does 'flags 0' vs 'flags 128' mean?
The flags field controls how CAs handle unknown tags: 0 (non-critical) means the CA can ignore unknown tags and proceed; 128 (critical) means the CA must understand all tags or refuse to issue. Most CAA records use flags = 0. The critical flag (128) is rarely used in practice.
How do subdomains inherit CAA records?
CAA lookup walks up the DNS tree. If blog.example.com has no CAA records, the CA checks example.com. This inheritance continues until CAA records are found or the TLD is reached. You typically only need CAA records on your root domain to protect all subdomains.
Which Certificate Authorities should I authorize?
Only authorize CAs you actually use: Let's Encrypt (letsencrypt.org), DigiCert (digicert.com), Sectigo (sectigo.com), Amazon ACM (amazon.com or amazontrust.com), Cloudflare (cloudflare.com), Google Trust Services (pki.goog). Authorizing fewer CAs improves security.
Why is DNSSEC important for CAA?
DNSSEC cryptographically signs DNS records, preventing attackers from spoofing CAA responses. Without DNSSEC, an attacker could potentially bypass CAA by returning fake DNS responses. We show DNSSEC status alongside CAA results because both are needed for complete certificate security.
When did CAA checking become mandatory for CAs?
September 8, 2017, following CA/Browser Forum Ballot 187. All publicly trusted Certificate Authorities must now check CAA records before issuing certificates. This marked a significant improvement in certificate security, giving domain owners control over who can issue certificates.
What if my SSL certificate request fails due to CAA?
If a CA refuses to issue due to CAA, check if your CAA records authorize that CA. Our tool shows all CAA records for your domain. You may need to add a new 'issue' record for your CA, or you're using a CA that isn't authorized. Also check the parent domain for inherited CAA restrictions.
Check Your Domain's CAA Records Now
Verify which Certificate Authorities can issue SSL certificates for your domain. Improve security by controlling certificate issuance.
Check CAA Records