How to Read CAA Records Correctly
Learn how to read CAA records, understand issue, issuewild, and iodef tags, and tell whether certificate issuance is properly restricted for a domain.
Tools For This Topic
What a CAA record is telling you
A CAA record tells certificate authorities which issuers are allowed to issue certificates for a domain. Reading it properly means understanding which CA names are authorised, whether wildcard issuance is treated differently, and whether incident reporting is configured.
CAA is a control record, not a traffic-routing record. It affects certificate issuance decisions rather than where clients connect.
Example CAA records
example.com. 3600 IN CAA 0 issue "letsencrypt.org"
example.com. 3600 IN CAA 0 issuewild "digicert.com"
example.com. 3600 IN CAA 0 iodef "mailto:security@example.com"These records allow Let's Encrypt to issue standard certificates, allow DigiCert to issue wildcard certificates, and define a contact mailbox for CAA-related incident reporting.
How to read the important tags
- issue defines which certificate authorities may issue standard certificates
- issuewild defines which certificate authorities may issue wildcard certificates
- iodef defines where reports should be sent for policy-related issues
- The numeric flag field may include critical handling requirements in some cases
In practice, the most important questions are which CA names are listed and whether those names match the certificate providers your organisation actually uses.
What a healthy CAA setup usually looks like
A healthy CAA configuration is usually short, intentional, and aligned with your actual certificate issuance process. If the domain only uses one or two providers, the record should normally reflect that rather than naming many CAs without a reason.
CAA becomes especially valuable on domains that use multiple teams, CDNs, or cloud platforms, because it reduces the chance of unnecessary certificate issuance sprawl.
Common signs of CAA confusion
- The record authorises certificate authorities nobody expects to be in use
- Wildcard and non-wildcard issuance rules are mixed up
- There is no iodef contact even though the domain is security-sensitive
- The records exist but nobody is sure which platform needs them
- Certificate issuance fails because the intended CA is not actually authorised
How to review CAA in practice
Start by listing the current CAA records, then compare them with the certificate providers used by your CDN, hosting platform, or internal PKI workflow. If the domain relies on one provider for wildcard certificates and another for standard ones, the record should reflect that intentionally.
Like many DNS security controls, CAA is most useful when it is reviewed alongside the real operational environment instead of being copied from a template and forgotten.
Use These DNS Pro Tools
If you want to validate this topic in practice, these DNS Pro tools are the fastest next step.
Related Tools
Related Articles
How to Read SPF Records Correctly
Learn how to read an SPF record, understand mechanisms and qualifiers, spot risky syntax, and tell whether an SPF policy is too broad or too complex.
How to Read DKIM Records Correctly
Learn how to read DKIM records, understand selector hostnames and key tags, and spot the difference between valid publishing and weak configurations.
How to Read NS Records Correctly
Learn how to read NS records, understand what they say about delegation, and spot signs of stale nameservers, mismatches, or broken authority.