CAA Record Checker

Check the CAA records for any domain and see exactly which certificate authorities are allowed to issue TLS certificates for it. Enter a domain and this tool queries live DNS, parses the issue, issuewild and iodef tags, and explains what they permit. CAA is the DNS-level guardrail that stops the wrong CA from issuing a certificate for your domain — this confirms it is set the way you intend.

Runs in your browser over DNS-over-HTTPS (Google / Cloudflare). Nothing is sent to our server and nothing is stored.

How to use the CAA Record Checker

Enter a domain and press Check CAA records. The tool reports:

  • Which CAs may issue normal certificates (the issue tag).
  • Which CAs may issue wildcard certificates (the issuewild tag).
  • The iodef address that receives a report when a CA is asked to issue against policy.
  • A clear note when no CAA record exists, which means any CA is permitted (the default).

CAA is checked by the CA at issuance time, and per the standard CAs walk up from the exact name to the parent domains, so a CAA at your apex protects subdomains too unless they set their own.

What CAA records do

CAA (Certification Authority Authorization) is a DNS record that names which certificate authorities are allowed to issue certificates for your domain. Before a CA issues a certificate, the rules require it to look up your CAA record; if you have listed only certain CAs and the requesting CA is not among them, the CA must refuse. It is a simple, powerful way to reduce the risk of mis-issuance — a certificate wrongly issued for your domain by a CA you never use.

A CAA record has three parts: a flag, a tag, and a value. The tags you will see are:

  • issue — names a CA permitted to issue normal (non-wildcard) certificates, by its domain, for example 0 issue "letsencrypt.org". List each CA you actually use.
  • issuewild — the same but specifically for wildcard certificates (*.example.com). If present it overrides issue for wildcards, which lets you allow wildcards from a narrower set of CAs.
  • iodef — an email or URL (for example mailto:[email protected]) where a CA sends a report if it receives a request that violates your policy. This gives you an early warning of attempted mis-issuance.

Two special cases are worth knowing. No CAA record at all is the default and means every CA may issue — that is not a misconfiguration, just an absence of restriction. And an empty issue value, written 0 issue ";", explicitly forbids all issuance, which is useful for a domain that should never have a certificate. Because CAs check CAA at the moment of issuance and walk up the DNS tree, a single CAA set at your apex covers the whole domain unless a subdomain publishes its own.

Common use cases

  • Locking issuance to your CA — confirm only the certificate authority you use (Let's Encrypt, DigiCert, Google Trust Services) can issue.
  • Verifying a new CAA record — check that a CAA you just added parses correctly and lists the right CAs.
  • Debugging a failed certificate — find out whether a CAA record is blocking your CA from issuing.
  • Controlling wildcards separately — confirm the issuewild rule allows or restricts wildcard certs as intended.
  • Setting up violation reports — verify the iodef address that will be alerted on a policy breach.

When a CAA record blocks your certificate

If issuing a certificate suddenly fails with a CAA error, the cause is almost always a mismatch between your CAA record and the CA you are trying to use. Check for:

  • The CA not listed. Your issue tag names a different CA than the one issuing. Add the correct CA's identifying domain (for example letsencrypt.org for Let's Encrypt, pki.goog for Google Trust Services).
  • A wildcard blocked by issuewild. You are requesting *.example.com but issuewild excludes that CA. Either add it to issuewild or remove the wildcard-specific rule.
  • An accidental block-all. A stray 0 issue ";" forbids everything. Remove it if the domain should have certificates.
  • A CAA on a parent name. Because CAs walk up the tree, a restrictive record on the apex can block a subdomain. Add a subdomain-specific CAA if it needs a different CA.

To generate a correct record once you know which CAs to allow, use the CAA Record Generator, then re-check it here. CAA complements certificate transparency rather than replacing it — for the certificates that actually exist, see a CT log search.

Frequently asked questions

How do I check a domain's CAA records?
Enter the domain above and press Check CAA records. The tool queries live DNS and shows which CAs may issue normal and wildcard certificates, plus the iodef report address, with a clear note if no CAA is set.

What does it mean if there is no CAA record?
It means any certificate authority is allowed to issue for the domain. That is the default and is not a misconfiguration, but publishing a CAA lets you restrict issuance to specific CAs and reduce the risk of mis-issuance.

What is the difference between issue and issuewild?
issue authorises a CA for normal certificates; issuewild authorises a CA specifically for wildcard certificates like *.example.com. If issuewild is present it takes precedence over issue for wildcard requests.

My certificate request failed with a CAA error. What now?
Your CAA record does not list the CA you are using. Check the issue (and issuewild for wildcards) values and add the correct CA's identifying domain, such as letsencrypt.org or digicert.com, then retry issuance.

Does a CAA record on my domain cover subdomains?
Yes. CAs check CAA by walking up from the requested name to the parent domains, so a record at your apex applies to subdomains unless a subdomain publishes its own CAA record.

Does this store the domains I check?
No. The lookup runs in your browser directly against Google or Cloudflare DNS-over-HTTPS. Nothing is sent to our server and nothing is logged.