Free Tool

Free CAA Records Checker

Check whether a domain restricts which certificate authorities can issue its SSL certificates with CAA DNS records.

Free and instant. No account or signup needed.

What CAA records do

A CAA record, short for Certification Authority Authorization, is a DNS record that names the certificate authorities you allow to issue SSL and TLS certificates for your domain. It lives alongside your other DNS records and is read by certificate authorities before they hand out a certificate. When a CA sees a CAA record that does not list its own name, it refuses to issue, so the record acts as a public allowlist for who may certify your domain.

The risk this guards against is certificate misissuance. Without a CAA record, every publicly trusted authority is fair game, which means a mistake at any one of them, or an attacker who tricks one of them, can produce a valid certificate for your domain. By listing only the authorities you actually use, you shrink that surface to the handful of CAs you trust, and a request to anyone else is turned away at the source.

The issue and issuewild tags

A CAA record carries a property tag that decides what it controls. The issue tag lists authorities allowed to issue ordinary certificates for the hostname, while issuewild lists authorities allowed to issue wildcard certificates that cover all of your subdomains. Keeping these separate lets you permit a CA for single hosts while holding wildcard certificates to a stricter set, since a wildcard is broader and worth guarding more carefully. A third tag, iodef, gives an address where a CA can report an attempt to issue against your policy.

A typical record looks like example.com. CAA 0 issue "letsencrypt.org", which tells every authority except Let's Encrypt to refuse. Once you have set the right authorities, run a full scan with the DNS Security Checker to review your other DNS protections in one place.

Frequently asked questions

What is a CAA records checker?

A CAA records checker reads the CAA DNS records on a domain and tells you whether the domain restricts which certificate authorities are allowed to issue SSL certificates for it. SiteSecurityScore checks this live by scanning the domain you enter.

Why do CAA records matter for security?

Without a CAA record, any public certificate authority can issue a certificate for your domain. A CAA record names only the CAs you actually use, so a different authority will refuse to issue, which lowers the risk of a mistaken or fraudulent certificate.

What is the difference between the issue and issuewild tags?

The issue tag controls which authorities may issue normal certificates for the exact hostname, while issuewild controls wildcard certificates that cover every subdomain. Setting issuewild lets you allow a CA for single hosts while keeping tighter control over broad wildcard certificates.

How do I add a CAA record?

Add a CAA record at your DNS provider for the domain, using your CA's identifier, for example example.com. CAA 0 issue "letsencrypt.org". Add an issuewild entry if you also need wildcard certificates, and an iodef entry if you want misissuance reports by email.

Does this checker scan a live domain?

Yes. Enter a domain and SiteSecurityScore queries its live DNS, reads any CAA records, and reports what it found in seconds. No account or signup is required.

Related tools

DNS Security CheckerSSL Certificate Expiry CheckerEmail Security Checker

Check every layer in one scan

This checker covers one piece. Run a full SiteSecurityScore scan for your security headers, CSP, TLS, DNS, and cookies with a letter grade and copy and paste fixes. No account required.

Run a full scan