CAA record lookup

See which certificate authorities are allowed to issue for your domain.

Create a free SJ Monitor account to watch your domains' uptime, DNS, and SSL around the clock and get alerted when something breaks. Start free →

This CAA record lookup reads the Certification Authority Authorization records on your domain and lists exactly which CAs are permitted to issue certificates for it. It distinguishes issue from issuewild rules, shows any iodef reporting address, and flags whether the absence of records leaves issuance open to any CA. Setting CAA correctly narrows who can mint certificates in your name, which reduces the risk of mis-issuance. Since these records are easy to forget after a CA change, SJ Monitor's DNS monitoring can watch them and alert on edits.

Frequently asked questions

What happens if I have no CAA records?

With no records, any CA may issue certificates for your domain, which is permitted but offers no extra protection. Adding records restricts issuance to the authorities you actually use.

What's the difference between issue and issuewild?

The issue property controls who can issue regular certificates, while issuewild controls wildcard certificates specifically. You can allow different CAs for each.

How do I avoid blocking my own certificate renewals?

If you change CAs without updating CAA, renewals can fail. SJ Monitor's DNS monitoring alerts you when CAA records change so issuance never breaks unexpectedly.

What CA value do I put in a CAA record?

The CA's issuer domain, such as letsencrypt.org or digicert.com — check your CA's docs for the exact string. List every CA you use, since omitting one blocks it from issuing.

Do subdomains inherit CAA records?

Yes. If a subdomain has no CAA record, CAs walk up the tree to the parent domain's record. Setting CAA at the apex therefore protects the whole domain unless a subdomain overrides it.

What is the iodef property for?

iodef specifies a contact (a mailto or URL) where CAs can report attempted policy violations. It's optional, but it gives you visibility into unauthorized issuance attempts.

More DNS tools tools

DNS lookup DNS propagation checker DNSSEC checker Nameserver lookup Reverse DNS (PTR) SOA record lookup
All DNS tools tools → · Browse every tool →

Want this checked automatically and around the clock? Create a free SJ Monitor account and we'll alert you the moment something changes.

Share this tool: X LinkedIn Facebook Reddit Email

We use essential cookies to run SJ Monitor (sign-in, security). See our privacy policy.