TLS-02 / TLS & CERTIFICATES
CAA Checker
Check a domain's CAA records, which control exactly which certificate authorities are allowed to issue TLS certificates for it.
About the CAA Checker
CAA records let you specify exactly which certificate authorities are permitted to issue TLS certificates for your domain. Without them, any CA can — which widens your exposure to mis-issuance. This tool lists a domain's CAA records.
What this tool checks
It resolves the domain's CAA records and shows each issue, issuewild, and iodef tag, revealing which CAs are authorized and where violation reports are sent.
Why set CAA records
CAA records reduce the risk of an unauthorized or compromised CA issuing a certificate for your domain. They're a simple, high-value DNS hardening step.
Frequently asked questions
What is a CAA record?
A Certification Authority Authorization record specifies which certificate authorities are allowed to issue certificates for your domain. CAs are required to honor it.
What happens without CAA records?
Any publicly-trusted CA may issue certificates for your domain. Adding CAA records restricts issuance to the CAs you choose, reducing mis-issuance risk.
Do CAA records affect existing certificates?
No. They only govern new issuance. Existing certificates keep working, but future requests from unauthorized CAs will be refused.