← All guides
CAA Records: Control Which CAs Can Issue Your Certificates
A CAA (Certification Authority Authorization) record is a DNS entry that names which certificate authorities are allowed to issue certificates for your domain. Without one, any public CA may issue for you.
Why set CAA
CAA is a guardrail against certificate mis-issuance: if an attacker tricks a CA into issuing for your domain, a CAA record naming only your intended CA causes a compliant CA to refuse. It is a low-effort, defence-in-depth control.
How to add one
Add a DNS CAA record such as: example.com. CAA 0 issue "letsencrypt.org". Add issuewild entries for wildcard certificates, and an iodef entry to receive reports of blocked issuance attempts.