Internet Toolset logo Internet Toolset 629+ Tools

CAA Record Checker

Description & Best Practices

What are CAA Records?
Certification Authority Authorization (CAA) records let you specify which certificate authorities (CAs) are permitted to issue SSL/TLS certificates for your domain. This is an important security measure that helps prevent unauthorized certificate issuance.

How This Tool Works:
- The tool queries the CAA record (TXT record) for your domain.
- It parses each record into three components: flag, tag, and value.
- It then analyzes the parsed data:
    - It lists authorized CA(s) from the "issue" tag.
    - It checks for an "issuewild" tag, which controls wildcard certificate issuance.
    - It verifies if an "iodef" tag is present for reporting certificate issuance incidents.

Interpreting the Results:
Example Raw Output:

0 issue "letsencrypt.org"


In this example:
- Flag: 0 (standard value indicating non-critical permission).
- Tag: issue, meaning that only the specified CA is authorized.
- Value: "letsencrypt.org" — only Let's Encrypt is allowed to issue certificates.

Recommendations:
- If no CAA record is found, it’s recommended to add one to restrict which CAs can issue certificates.
- If a record exists, ensure that the "issue" tag authorizes only trusted CAs.
- Consider adding an iodef tag so that reports of unauthorized certificate requests can be sent to an email or URL you specify.
- Review wildcard settings (issuewild) to ensure they match your certificate issuance policy.

This enhanced output gives you both the technical details and actionable recommendations for improving your domain’s certificate security.

More Domain Tools DMARC Checker →
DMARC Checker Domain Tools
DNS Propagation Checker Domain Tools
DNS Record Ttl Normalizer Domain Tools
DNS Record Viewer Domain Tools
DNS Ttl Risk Estimator Domain Tools
DNS vs WHOIS vs SSL Checker Domain Tools
Browse Tools

Tool Navigation

629+ tools across 43 categories