All Collections
Other Resources
What are Certification Authority Authorization (CAA) DNS records?
What are Certification Authority Authorization (CAA) DNS records?

Learn more about CAA DNS records and why you might need them when it comes to BIMI and VMC certificates.

Ivan Kovachev avatar
Written by Ivan Kovachev
Updated over a week ago

What does CAA stand for?

CAA stands for Certification Authority Authorization (CAA) DNS Resource Record.

What is the purpose of a CAA record?

It allows a domain name holder to specify one or more Certification Authorities (CA's) authorized to issue certificates for that domain. CAA records allow a Certification Authority to implement additional controls to reduce the risk of unintended certificate mis-issue.

Do I need a CAA record?
The answer is it depends. CA’s are only required to check to see if there is a CAA record and if you have permitted the CA to issue a certificate for the FQDN in question.

If you do not list a CAA Record, all CA’s will be able to issue certificates for the FQDN.

So, setting up a CAA record is up to you and your organization to decide if you only want a certain set of CA's to be able to issue certificates on your behalf and narrow down your exposure.

How to check CAA record using dig?
You can use it to check your CAA entry by typing the command below:

dig CAA +short

0 iodef "mailto:[email protected]"
0 issue ""
0 issue ""
0 issuewild ";"

CAA Records Values Per Certification Authority

Click on the button below to find all the CA values to input for your CAA record for each CA.

What if I have a CAA record and want to use Hosted MTA-STS?

You can check out our dedicated article below:

Did this answer your question?