SiteAlertAI SiteAlertAI
⬡ Web Scan 🔒 SSL/TLS 📬 MX Record ✉ Email Header 🎣 URL Check 🌍 IP Geo
⬡ Web Scan 🔒 SSL/TLS 📬 MX Record ✉ Email Header 🎣 URL Check 🌍 IP Geo
← All guides

CAA Records: Control Which CAs Can Issue Your Certificates

A CAA (Certification Authority Authorization) record is a DNS entry that names which certificate authorities are allowed to issue certificates for your domain. Without one, any public CA may issue for you.

Why set CAA

CAA is a guardrail against certificate mis-issuance: if an attacker tricks a CA into issuing for your domain, a CAA record naming only your intended CA causes a compliant CA to refuse. It is a low-effort, defence-in-depth control.

How to add one

Add a DNS CAA record such as: example.com. CAA 0 issue "letsencrypt.org". Add issuewild entries for wildcard certificates, and an iodef entry to receive reports of blocked issuance attempts.

🛰 Check your CAA records →

Related guides

  • What Is HSTS and How Do I Enable It?
  • Content-Security-Policy Explained (and How to Fix a Weak One)
  • Mixed Content: Why Your HTTPS Padlock Breaks
SiteAlertAI · © 2026 All rights reserved · Built for security professionals and developers.
Blog Guides Privacy Terms About Contact Social

⚠ For authorised security testing only. Scanning domains you do not own may violate laws in your jurisdiction. SiteAlertAI accepts no liability for misuse. CVE data is indicative — verify with NVD.