How to Add CAA Records to Your Domain
CAA records are a simple DNS entry that restricts which certificate authorities are allowed to issue TLS certificates for your domain. Without them, any CA in the world can issue a certificate for your domain — with or without your knowledge. Here's how to add them in two minutes.
What this finding means
A CAA (Certification Authority Authorisation) DNS record publishes a policy that certificate authorities must check before issuing a certificate for your domain. If no CAA record exists, any CA can issue a certificate — increasing the risk of certificate misissue or misissuance by a compromised CA.
Why it matters
- CAA records are checked by all major certificate authorities before issuance
- They prevent a rogue or compromised CA from issuing a certificate for your domain without authorisation
- Certificate misissue is rare but has happened — CAA records are a cheap, effective defence
- They're a scored finding on most domain security assessment tools
How to add CAA records — step by step
Step 1: Identify which CA you use
Check your current TLS certificate — the issuer is shown in your browser's padlock → Certificate details, or in a mydomainrisk.com scan result.
Step 2: Add the CAA DNS record
CAA records use the type CAA (or TYPE257 on older DNS providers). The format is:
yourdomain.com CAA 0 issue "ca-domain.com"
Common CAA record values by certificate authority
| Certificate Authority | CAA record value |
|---|---|
| Let's Encrypt | 0 issue "letsencrypt.org" |
| DigiCert | 0 issue "digicert.com" |
| Sectigo / Comodo | 0 issue "sectigo.com" |
| GlobalSign | 0 issue "globalsign.com" |
| Amazon (ACM) | 0 issue "amazon.com" |
Recommended — also add a wildcard and iodef report address
yourdomain.com CAA 0 issue "letsencrypt.org" yourdomain.com CAA 0 issuewild "letsencrypt.org" yourdomain.com CAA 0 iodef "mailto:security@yourdomain.com"
issue— authorises the CA to issue single-name certificatesissuewild— authorises the CA to issue wildcard certificates (e.g. *.yourdomain.com)iodef— where the CA sends a report if an unauthorised request is made
Step 3: Add the records to your DNS
Log in to your DNS provider and add one or more CAA records at your root domain. CAA record type is widely supported — if you can't find it, try TYPE257 or contact your DNS provider.
Verify it worked
Scan your domain at mydomainrisk.com — the CAA finding will show as resolved once the records are detected. You can also check with:
nslookup -type=CAA yourdomain.com
Check your CAA records
MyDomainRisk checks CAA records alongside 40+ other domain security signals — free, no account required.
Scan your domain free →