Certification Authority Authorization (CAA) records are Domain Name System (DNS) records that allow website owners to specify which Certificate Authorities (CA) they trust to issue SSL Certificates for their domains. This added layer of security helps prevent unauthorized SSL Certificates from being issued.
By adding a Certification Authority Authorization (CAA) record, website owners exert more control over their digital identity and protect against fraudulent SSL Certificate issuance. These records provide a mechanism to control which Certificate Authorities (CA) are permitted to issue SSL Certificates for a given domain, reducing the risk of fraudulent SSL Certificates being generated and deployed by malicious actors.
Trustico® provides the free tools at the links above to generate and verify your Certification Authority Authorization (CAA) records.
Why Use Certification Authority Authorization (CAA) Records
All Certificate Authorities (CA) have been mandated to check Certification Authority Authorization (CAA) Domain Name System (DNS) records before issuing SSL Certificates since September 8, 2017. This means that Certification Authority Authorization (CAA) records are actively enforced across the entire SSL Certificate industry and are not optional for Certificate Authorities (CA) to implement.
Implementing Certification Authority Authorization (CAA) records significantly enhances the security posture of your website by adding an extra verification step that makes it far more difficult for malicious actors to obtain fraudulent SSL Certificates. This is a critical step in protecting your online presence and maintaining the integrity of your encrypted connections.
Using Certification Authority Authorization (CAA) records provides an additional layer of defense against phishing and man-in-the-middle attacks. This protection is vital for maintaining the trust and confidence of your users, particularly when handling sensitive information through your website.
How Certification Authority Authorization (CAA) Records Work
Certification Authority Authorization (CAA) records work by specifying the Certificate Authorities (CA) authorized to issue SSL Certificates for a particular domain. These records are stored in your domain's Domain Name System (DNS) records.
When a Certificate Authority (CA) receives a request to issue an SSL Certificate, it first checks the domain's Domain Name System (DNS) records for a Certification Authority Authorization (CAA) record. If a Certification Authority Authorization (CAA) record exists and the Certificate Authority (CA) is not listed, it will refuse to issue the SSL Certificate. This prevents unauthorized issuance and strengthens your online security posture, and the process is automatic and transparent to website users.
Certification Authority Authorization (CAA) records can set policies for an entire domain or for specific hostnames. They are also inherited by subdomains, which means that a Certification Authority Authorization (CAA) record set on yourdomain.com will automatically apply to all subdomains such as www.yourdomain.com, shop.yourdomain.com, and any other subdomain beneath it. Certification Authority Authorization (CAA) records can also regulate the issuance of single site SSL Certificates, wildcard SSL Certificates, or both, depending on which record tags are configured.
Recognized Domain Names for Sectigo Certification Authority Authorization (CAA) Records
Sectigo, the Certificate Authority (CA) that Trustico® works with to provide SSL Certificates, recognizes three domain names in the issue, issuewild, and issuemail property tags. Any of the following domain names can be used in your Certification Authority Authorization (CAA) records to authorize Sectigo to issue SSL Certificates for your domain.
The recognized domain names are sectigo.com, trust-provider.com, and usertrust.com. All three are equally valid and will authorize Sectigo to issue SSL Certificates for your domain. The examples throughout this page use sectigo.com as it is the primary and most commonly used value.
Certification Authority Authorization (CAA) Records for Trustico® SSL Certificates
Trustico® SSL Certificates are issued by Sectigo, one of the world's largest and most trusted Certificate Authorities (CA). To ensure that Sectigo can issue SSL Certificates for your domain, you need to add the following Certification Authority Authorization (CAA) records to your domain's Domain Name System (DNS) settings through your Domain Name System (DNS) provider or domain registrar.
The following examples demonstrate the Certification Authority Authorization (CAA) records required for a domain called yourdomain.com. Replace yourdomain.com with your actual domain name when adding these records to your Domain Name System (DNS) configuration.
Standard SSL Certificate Issuance
This Certification Authority Authorization (CAA) record allows Sectigo to issue standard SSL Certificates for your domain. This is the most common record type and is required for single site and multi-domain SSL Certificates.
yourdomain.com. IN CAA 0 issue "sectigo.com"
Wildcard SSL Certificate Issuance
This Certification Authority Authorization (CAA) record allows Sectigo to issue wildcard SSL Certificates for your domain. If you intend to secure unlimited subdomains with a wildcard SSL Certificate, this record must be present in your Domain Name System (DNS) configuration.
yourdomain.com. IN CAA 0 issuewild "sectigo.com"
S/MIME E-Mail Certificate Issuance
This Certification Authority Authorization (CAA) record allows Sectigo to issue S/MIME E-Mail Certificates for your domain. If you require E-Mail Certificates for signing and encryption within your organization, this record enables that capability.
yourdomain.com. IN CAA 0 issuemail "sectigo.com"
Sectigo began enforcing Certification Authority Authorization (CAA) lookups for the issuance of publicly trusted S/MIME Certificates on September 15, 2024, following the CA/Browser Forum requirements. As of March 15, 2025, this check is mandatory for all Certificate Authorities (CA) issuing S/MIME Certificates.
Certification Authority Authorization (CAA) for S/MIME operates on the domain part of each e-mail address, which is the portion after the @ symbol. This is different from SSL Certificate Certification Authority Authorization (CAA) checks, which operate on the entire Fully Qualified Domain Name (FQDN).
Complete Certification Authority Authorization (CAA) Record Set
For comprehensive coverage that allows Sectigo to issue all SSL Certificate and S/MIME E-Mail Certificate types for your domain, add all three Certification Authority Authorization (CAA) records to your Domain Name System (DNS) settings. The following example shows the complete record set for a domain.
yourdomain.com. IN CAA 0 issue "sectigo.com"
yourdomain.com. IN CAA 0 issuewild "sectigo.com"
yourdomain.com. IN CAA 0 issuemail "sectigo.com"
Note : A single set of Certification Authority Authorization (CAA) records on your root domain applies to all hosts and subdomains beneath it. For example, records set on yourdomain.com will automatically apply to www.yourdomain.com, shop.yourdomain.com, and all other subdomains. You do not need to add separate records for each subdomain unless you require different policies at the subdomain level.
Adding Certification Authority Authorization (CAA) Records
Adding Certification Authority Authorization (CAA) records to your domain is a straightforward process that varies slightly depending on your Domain Name System (DNS) provider or domain registrar. Most control panels provide a dedicated section for managing Domain Name System (DNS) records where you can add Certification Authority Authorization (CAA) record types directly.
When adding these records, ensure that you select the Certification Authority Authorization (CAA) record type from the available options. Enter the flag value as 0, the tag as either issue, issuewild, or issuemail depending on the record type, and the value as sectigo.com.
Zone File Syntax Formats
The syntax for Certification Authority Authorization (CAA) records can vary depending on the Domain Name System (DNS) server software your provider uses. The two most common formats are the standard BIND zone file format and the generic format used by cloud-based Domain Name System (DNS) providers.
The standard BIND zone file format is used by BIND version 9.9.6 and above, PowerDNS version 4.0.0 and above, NSD version 4.0.1 and above, and Knot DNS version 2.2.0 and above. This format includes the full domain name and record class.
sectigo.com. IN CAA 0 issue "sectigo.com"
The generic format is used by cloud-based Domain Name System (DNS) providers such as Google Cloud DNS and DNSimple. This format omits the domain name and record class, as these are typically set elsewhere in the provider's interface.
0 issue "sectigo.com"
Important : Older versions of BIND (prior to version 9.9.6) and NSD (prior to version 4.0.1) require RFC 3597 syntax for Certification Authority Authorization (CAA) records. If you are using an older Domain Name System (DNS) server version, consult your server documentation for the correct syntax format.
Domain Name System (DNS) propagation typically takes 15 to 30 minutes, after which only Sectigo will be able to issue SSL Certificates for your domain. Generate Your Certification Authority Authorization (CAA) Records 🔗
Important Considerations
If no Certification Authority Authorization (CAA) records exist for your domain, any Certificate Authority (CA) can issue SSL Certificates for that domain. Adding Certification Authority Authorization (CAA) records restricts issuance to only the specified Certificate Authorities (CA), which significantly improves your security posture but requires careful planning.
Warning : Before adding Certification Authority Authorization (CAA) records, ensure that you have identified all Certificate Authorities (CA) that currently issue SSL Certificates for your domain. If you have SSL Certificates from multiple providers, you must add Certification Authority Authorization (CAA) records for each Certificate Authority (CA) to avoid issuance failures when you next reissue.
Sectigo does not currently support additional parameters within Certification Authority Authorization (CAA) records for further restricting SSL Certificate issuance beyond the standard issue, issuewild, and issuemail tags. If your organization requires more granular control over SSL Certificate issuance policies, the standard tag-based approach is the method currently available.
Trustico® recommends implementing Certification Authority Authorization (CAA) records as part of a comprehensive security strategy. Combined with properly configured SSL Certificates, these records provide robust protection against unauthorized SSL Certificate issuance and help maintain the integrity of your encrypted communications. Discover Our SSL Certificate Validation Procedures 🔗
Reference Information
Certification Authority Authorization (CAA) records are defined in RFC 6844, which specifies the original standard for Certification Authority Authorization (CAA) Domain Name System (DNS) resource records. The S/MIME issuemail property tag is defined in RFC 9495, which extends the original specification to cover e-mail Certificate issuance.
Verifying Your Certification Authority Authorization (CAA) Records
After adding Certification Authority Authorization (CAA) records to your domain, you should verify that they have propagated correctly throughout the Domain Name System (DNS). Various online tools can query your domain's Certification Authority Authorization (CAA) records and confirm that they are configured correctly. This verification step ensures that your SSL Certificate orders will process without delays.
If you experience issues with SSL Certificate issuance after adding Certification Authority Authorization (CAA) records, verify that the records are correctly formatted and have fully propagated. Learn About Trustico® Support Options 🔗
