What does CAA stand for?

CAA stands for Certification Authority Authorization (CAA) DNS Resource Record.

What is the purpose of a CAA record?

It allows a domain name holder to specify one or more Certification Authorities (CA's) authorized to issue certificates for that domain. CAA records allow a Certification Authority to implement additional controls to reduce the risk of unintended certificate mis-issue.

Do I need a CAA record?
The answer is it depends. CA’s are only required to check to see if there is a CAA record and if you have permitted the CA to issue a certificate for the FQDN in question.

If you do not list a CAA Record, all CA’s will be able to issue certificates for the FQDN.

So, setting up a CAA record is up to you and your organization to decide if you only want a certain set of CA's to be able to issue certificates on your behalf and narrow down your exposure.

How to check CAA record using dig?
You can use it to check your CAA entry by typing the command below:

dig example.com CAA +short

0 iodef "mailto:[email protected]"
0 issue "amazonaws.com"
0 issue "letsencrypt.org"
0 issuewild ";"

CAA Records Values Per Certification Authority

Click on the button below to find all the CA values to input for your CAA record for each CA.

What if I have a CAA record and want to use Hosted MTA-STS?

You can check out our dedicated article below:

Did this answer your question?