Home › CAA Record Lookup

CAA Record Lookup

See which Certificate Authorities are allowed to issue certificates for a domain.

Free • no sign-up • runs live in your browser.

What is a CAA record?

A CAA (Certification Authority Authorization) record lists which Certificate Authorities (CAs) are permitted to issue TLS/SSL certificates for your domain. CAs are required to check CAA before issuing, so it's a simple, powerful guard against unauthorized or mis-issued certificates.

The tags

  • issue — CA allowed to issue normal certificates.
  • issuewild — CA allowed to issue wildcard certificates.
  • iodef — URL/email to report policy violations.

Example: 0 issue "letsencrypt.org" permits only Let's Encrypt to issue certs.

Frequently asked questions

Do I need a CAA record?

It's optional but recommended. Without one, any CA may issue certificates for your domain. With one, issuance is limited to the CAs you trust.

Will CAA break my existing certificates?

No. CAA is only checked at issuance time. Existing certs keep working; just make sure your CAA lists the CA you renew with.

Where does the CAA record go?

On the domain (or subdomain) you want to protect. CAA also applies down the tree unless overridden by a more specific record.

More tools

DNS Lookup
All record types
DNS Health Check
Full domain report
Email Security
SPF/DKIM/DMARC
WHOIS
Registration data
DNSSEC Check
Chain of trust
IP Lookup
Geo, ASN, rDNS