CAA Record Lookup
Verify which Certificate Authorities are authorized to issue certificates for your domain.
Powered by Geekflare DNS Records API
Why Use the CAA Lookup Tool
By querying the CAA records, you can ensure that only your trusted CAs have the authority to issue certificates. Validating your CAA setup is a critical step in preventing man-in-the-middle attacks and safeguarding your business's digital identity.
CAA Records Results
| Tag | Purpose |
|---|---|
| issue | Names which CA may issue certificates for the domain hostnames. |
| issuewild | Names which CA may issue wildcard certificates. |
| iodef | Provides a contact URI if a CA receives a certificate request that violates policy. |
Troubleshooting Missing Records
If the lookup tool returns no records, it means you have no CAA policies in place, and technically, any CA can issue a certificate for your domain. To harden your security posture, add CAA records for your domain and explicitly state your preferred Certificate Authority. Enforcing CAA policies is highly recommended as a baseline security standard for websites.
Frequently Asked Questions
A CAA (Certificate Authority Authorization) DNS record specifies which certificate authorities (CAs) are permitted to issue SSL/TLS certificates for a domain or its wildcards.
The lookup displays common tags including issue (allowed CA for hostnames), issuewild (allowed CA for wildcard certificates), and iodef (contact URI for policy violations).
An empty result means the domain does not publish CAA records in DNS. Any publicly trusted CA may issue certificates unless other controls restrict issuance.