CAA Records Generator
Generate properly formatted CAA DNS records for any domain in seconds. Choose from 60+ certificate authorities, set separate rules for wildcard and non-wildcard certificates, add an optional iodef contact, and copy the output in whichever format your DNS provider needs — Generic CAA, BIND zone, Legacy TYPE257, tinydns or dnsmasq.
- Enter the domain you want to publish CAA records for, such as example.com. CAA records on the registered domain apply to every subdomain underneath.
- Clears every field so you can build a CAA policy from scratch.
- Pre-fills a sample policy for example.com with Let's Encrypt and Sectigo authorized for both standard and wildcard certificates.
- Fetches the live CAA records published for the domain you entered and pre-fills the form so you can edit the existing policy.
- Pick the CAs you want to authorize. Each CA shows separate Non-Wildcard and Wildcard toggles once selected.
- A reporting address — email or URL — where certificate authorities can notify you of policy violations or misissuance attempts.
- Builds CAA records in five formats — Generic CAA, BIND zone, Legacy TYPE257, tinydns and dnsmasq — from the inputs above.
What You Get From This Tool
Records in Five Output Formats
Every other CAA generator on the first SERP page outputs only the standard RFC 8659 syntax. The APIFreaks generator also outputs BIND zone, Legacy TYPE257 (RFC 3597 hex), tinydns and dnsmasq — the formats older nameservers and self-hosted resolvers still need.
60+ Certificate Authorities in a Single Dropdown
From Let's Encrypt and DigiCert to Buypass, Certigna, Government of Spain ACCV, NAVER Cloud Trust Services and ZeroSSL-adjacent CAs. If a publicly trusted CA exists, it's in the list. No typing the wrong domain by accident.
Separate Wildcard and Non-Wildcard Rules
Toggle issuewild and issue independently per CA. The tool builds the right combination so a CA you trust for *.example.com isn't accidentally authorized for the apex.
Pull a Domain's Current CAA Policy
Paste any domain and click Load Current Policy — the tool fetches the live records and pre-fills the form. Faster than retyping a configuration just to add one CA. If you only need to inspect a domain's existing records without editing them, use our CAA record checker instead.
Optional iodef Reporting
Drop in a security contact email or URL and the tool adds an iodef record so CAs can notify you of policy violations or attempted misissuance.
Free, No Login, No Rate Limits
Generate records for as many domains as needed. No sign-up wall, no captcha. Copy the output to your DNS provider and move on.
How to Use the CAA Records Generator
- Step 1 — Enter the domain name Type the registered domain you want to protect, such as example.com. CAA records are usually set on the registered domain so they apply to every subdomain underneath.
- Step 2 — Choose a starting point Pick one of three options under Initial Policy:
- Empty Policy — clears every field. Use this if you're building a policy from scratch.
- Auto Generate — pre-fills a sample policy for example.com with Let's Encrypt and Sectigo as the authorized CAs for both standard and wildcard certificates. Useful as a template you can edit.
- Load Current Policy — fetches the live CAA records published for the domain you entered and pre-fills the form. The fastest way to amend an existing policy.
- Step 3 — Select certificate authorities Open the CA dropdown and pick every authority you want to allow. The list includes 60+ publicly trusted CAs — Let's Encrypt, DigiCert, Sectigo, GlobalSign, GoDaddy, Google Trust Services, Amazon Trust Services, Buypass, ZeroSSL-adjacent providers and many regional CAs.
- Step 4 — Toggle wildcard and non-wildcard per CA For each selected CA, tick or untick:
- Non-Wildcard — allows the CA to issue standard certificates (issue tag in CAA syntax).
- Wildcard — allows the CA to issue *.example.com certificates (issuewild tag).
- Step 5 — Add an iodef email (optional) If you want CAs to notify you of policy violations, enter a reporting address in the iodef field. Use a security contact you actively monitor — most CAs will email this address before they issue a certificate that conflicts with your policy.
- Step 6 — Click Generate Policy and copy the output The tool returns five output blocks. Use whichever your DNS provider supports:
- Generic CAA Records — works on Cloudflare, Route 53, Namecheap, DNSimple, most modern panels.
- Standard BIND Zone File — paste straight into a zone file managed with BIND or compatible tooling.
- Legacy Zone File (TYPE257) — for nameservers without native CAA support. Uses the RFC 3597 hex format.
- tinydns — for djbdns and tinydns-based servers.
- dnsmasq — for dnsmasq deployments using --dns-rr.
If neither box is ticked, the CA is excluded entirely. If only Wildcard is ticked, the CA can issue *.example.com but not example.com — useful for splitting trust across providers.
Paste the records into your DNS provider, save, and wait for propagation. Most CAs check CAA at issuance time, so the policy is enforced as soon as the records are live.
Example Output Explained
For domain ipgeolocation.io with Actalis, Let's Encrypt, and Sectigo authorized for both wildcard and non-wildcard issuance, the generator returns the following records in each format:
Generic CAA Records
ipgeolocation.io CAA 0 issue "actalis.it"
ipgeolocation.io CAA 0 issue "letsencrypt.org"
ipgeolocation.io CAA 0 issue "sectigo.com"Standard BIND Zone File
ipgeolocation.io. IN CAA 0 issue "actalis.it"
ipgeolocation.io. IN CAA 0 issue "letsencrypt.org"
ipgeolocation.io. IN CAA 0 issue "sectigo.com"What this policy enforces
Once these records are live, only Actalis, Let's Encrypt and Sectigo can issue SSL/TLS certificates — standard or wildcard — for ipgeolocation.io. If any other publicly trusted CA receives an issuance request for the domain, it must check these records first and refuse to issue.
CAA Record Anatomy
Every CAA record has the same three-part structure:
<domain>. IN CAA <flag> <tag> "<value>"Flag
A number from 0 to 255. In practice, only 0 (no critical handling) and 128 (critical — CAs that don't understand the tag must refuse) are used. Almost every record published in the wild uses 0.
Tag
One of three values that defines what the record controls:
- issue — names the CAs allowed to issue standard (non-wildcard) certificates.
- issuewild — names the CAs allowed to issue wildcard certificates such as *.example.com. If no issuewild record is present, the issue records apply to wildcards too.
- iodef — points to an email address or URL where CAs can report policy violations or suspected misissuance.
Value
The CA's identifier (letsencrypt.org, sectigo.com, pki.goog, and so on) or, for iodef, a mailto: or https:// URL. A value of ";" means "no CA is authorized" — useful for explicitly forbidding wildcard issuance, as Google does in the example below.
Real example — google.com
The Load Current Policy option on the tool returns this for google.com:
google.com CAA 0 issue "pki.goog"
google.com CAA 0 issuewild ";"Translation: only Google Trust Services may issue standard certificates for google.com, and no CA may issue wildcard certificates. This is a strict policy any high-value domain can copy.
Use Cases
You're launching a new domain and want SSL locked down from day one
Before the first certificate is issued, publish a CAA policy that names only the CA you intend to use. If anyone — internal team or attacker — tries to obtain a certificate from a different CA, the request is refused at the validation step.
You manage a large estate and want a consistent policy across hundreds of domains
Use the generator once to produce the canonical record block, then paste the same Generic CAA records into every zone via your DNS provider's API or Terraform. The output is text, so it scripts cleanly.
Migrating between certificate authorities
Add the new CA to the existing policy, deploy, request the new certificate, then remove the old CA after the cutover. Loading the current policy first means you don't accidentally drop existing entries.
You run a self-hosted nameserver (BIND, tinydns, dnsmasq, PowerDNS)
Most online CAA tools assume you're on Cloudflare or Route 53. The five output formats here cover the providers and software that don't have a pretty UI for CAA — paste the BIND zone, tinydns or dnsmasq output directly into your config.
You're on a DNS provider that only supports legacy TYPE257
Some older DNS panels don't have native CAA support but accept generic TYPE257 records (RFC 3597). The Legacy Zone File output gives you the hex-encoded equivalent — same effect, syntax your provider accepts.
You want CAs to email you about policy violations
Add an iodef address. Any CA that receives a non-conforming issuance request is expected to report it to the contact you specify. It's a low-cost early-warning system for certificate mis-issuance attempts.
You're preparing for a security audit or compliance review
CAA records are measurable control auditors increasingly ask about. Generate the policy, publish it, and document the decision — "only these CAs are authorized" is a defensible answer in PCI DSS, SOC 2 and ISO 27001 reviews.
FAQs
A CAA (Certificate Authority Authorization) record is a DNS resource record that names the certificate authorities allowed to issue SSL/TLS certificates for a domain. It was standardized in RFC 8659. Public CAs are required to check CAA records before issuing and to refuse issuance if their identifier isn't listed.
As soon as the records propagate, which depends on your zone's TTL — typically a few minutes to a couple of hours. CAs check CAA at issuance time, so the policy is enforced the next time anyone requests a certificate for your domain. To confirm the records went live, run your domain through our CAA record checker.
Need this in your application?
If you generate CAA records programmatically — auditing thousands of domains, monitoring policy changes, or building a security dashboard — the manual tool isn't the right fit. Pull the same data through our DNS API to read live CAA records, or pair it with our SSL Certificate Lookup API to see which CAs are issuing certificates for the domains you cover.
Get Free API Key