CAA Validator is used to check a domain’s CAA DNS records and spot missing or misconfigured entries before SSL issuance problems happen.
Enter a domain name to lookup CAA records
CAA Record Types
A CAA DNS record tells certificate authorities which providers are allowed to issue SSL certificates for your domain. This gives domain owners more control over certificate issuance and helps reduce the risk of unauthorized certificates.
issue
The issue tag specifies which certificate authority can issue a standard SSL certificate for the domain. If your domain allows only one CA, this record tells the world that only that provider is authorized.
issuewild
The issuewild tag controls which certificate authority can issue wildcard certificates for the domain. This is useful when you want different rules for wildcard and non-wildcard certificates.
iodef
The iodef tag provides a reporting address where certificate authorities can send notices if they find a policy conflict or problem with the domain CAA record. This can be an email address or a URL, depending on how the record is configured.
CAA Record Format
The CAA record format is made up of three key parts:
Flag: It is usually 0, but can also be used for critical processing
Tag: Such as issue, issuewild, or iodef
Value: The certificate authority or reporting destination
A simple CAA record example looks like this:
example.com. IN CAA 0 issue "letsencrypt.org"
This means Let’s Encrypt is allowed to issue certificates for example.com
When you run a CAA record lookup, the tool checks whether the domain has valid records, whether the syntax is correct, and whether the configured certificate authorities are clearly defined.
Why do we need CAA Validator tool?
A CAA validator helps confirm that your domain CAA record is correctly configured and working as intended.
Here is why this matters:
It helps prevent unauthorized SSL certificate issuance
It confirms whether your DNS CAA record is published correctly
It helps identify a missing CAA record
It reduces certificate issuance delays caused by DNS mistakes
It makes troubleshooting easier before renewing or requesting SSL certificates
A CAA record checker is especially useful for developers, sysadmins, hosting teams, and security professionals who need to verify domain certificate policies quickly.
If you want to check CAA record online, a validator tool gives you a fast way to inspect the live DNS response without manually querying DNS servers.
FAQs
A CAA record, which stands for Certification Authority Authorization, is a DNS resource record that defines which Certificate Authorities (CAs) are allowed to issue SSL/TLS certificates for a domain and its associated domains or subdomains. CAA resource records act as a policy control layer for certificate issuance, specifying authorization rules that help protect both the main domain and its associated domains by ensuring only designated CAs can issue certificates.
You can use a CAA Validator or CAA record checker to perform a CAA lookup by running a DNS query against the domain's DNS. This process checks if a CAA record exists, what values it contains, and whether the format is correct. For the most accurate and up-to-date information, it's best to query the authoritative nameservers or use your DNS provider, as they directly manage your domain's DNS records and ensure proper DNS responses.
A missing CAA record usually means no certificate authority restrictions are explicitly set for the domain. If a CAA record is not found for a specific hostname, the CA will perform additional DNS queries up the hierarchy, checking the parent domain for a CAA record. The parent domain's policy will be applied if a CAA record is found there. If no CAA records are found at any level during these queries, CAA validation will pass and certificate issuance will proceed according to standard CA validation processes without domain-level CAA limitations.
The CAA record format includes a flag, a tag, and a value. This format is defined by the CA/Browser Forum's baseline requirements and is used for authority authorization caa, allowing domain owners to specify which certificate authorities are permitted to issue certificates for their domain. This tells DNS resolvers and certificate authorities which provider is authorized.
A CAA record type is used to define the policy purpose of the record. CAA records can be set for an entire domain, which creates an umbrella policy that applies to all subdomains unless overridden. If you want to establish different security policies for a specific subdomain, you can create a separate CAA record for that specific subdomain. This allows domain owners to control which Certificate Authorities (CAs) can issue SSL/TLS certificates for both the base domain and its subdomains.
