All Collections
Using the OnDMARC App
Dynamic Services
Adding our CA to your CAA record when using Dynamic MTA-STS
Adding our CA to your CAA record when using Dynamic MTA-STS

If you have a CAA record on your domain, you will need to allow our CA to issue certificates on your behalf when you use Dynamic MTA-STS

Faisal Misle avatar
Written by Faisal Misle
Updated over a week ago

One of the requirements of MTA-STS is to host the policy on an HTTPS secured, publicly accessible server. When you use our hosted Dynamic MTA-STS feature, we automatically do this for you via Amazon Cloudfront. We also request an SSL certificate for you via ACM.

However, because we issue certificates on your behalf, if you have a CAA record on your domain, you will need to allow Amazon's CA to issue certificates on your behalf when you use Dynamic MTA-STS.

To allow ACM to issue the certificate on your behalf, please add the following issuer to your CAA record. Instructions will vary per provider, but you can use one of your existing fields as reference.

0 issue "amazon.com"

For more information, please refer to this article.

If you have any questions, please don't hesitate to reach out to our team.

Did this answer your question?