CAA DNS Record: Controlling SSL Certificate Issuance for Your Domain

Domains · 19.04.2026

CAA (Certification Authority Authorization) records specify which Certificate Authorities are allowed to issue SSL certificates for your domain.

CAA Record Syntax

# Allow only Let's Encrypt
@    IN    CAA    0 issue "letsencrypt.org"

# Allow wildcard from Let's Encrypt
@    IN    CAA    0 issuewild "letsencrypt.org"

# Notification email for failures
@    IN    CAA    0 iodef "mailto:security@example.com"

Common CA Values

Certificate Authority	CAA Value
Let's Encrypt	letsencrypt.org
DigiCert	digicert.com
Sectigo	sectigo.com

💡 No CAA record: Any CA can issue certificates for your domain. For financial and corporate sites — add CAA records to restrict this.