CAA Record Helper

By SSLMate

Over a hundred certificate authorities (CAs) have the power to issue certificates which vouch for the identity of your website. Certificate Authority Authorization (CAA) is a way for you to restrict issuance to the CAs you actually use so you can reduce your risk from security vulnerabilities in all the others. Setting up CAA is an easy way to improve your website's security. Learn More

1. Enter Your Domain Name

2. Choose an Initial Policy

You'll start with an empty policy that prohibits all CAs.
Your policy will allow only the CAs used by SSLMate.
We'll use Certificate Transparency to see which CAs you're currently using.
We'll load your existing CAA record set so you can make adjustments.

3. Select Authorized Certificate Authorities

Check off the certificate authorities which you authorize to issue certificates for your domain. You can separately authorize the issuance of wildcard and non-wildcard certificates.

Type of certificate
Non-Wildcard Wildcard

4. Incident Reporting (Optional)

You can specify an email address or URL for reporting certificate requests or issued certificates that violate your CAA policy. Reports will be provided in iodef format.

5. Publish Your CAA Policy

Add the following CAA records to your domain's DNS. Your DNS must be hosted with a service that supports CAA.


For Google Cloud DNS, Route 53, DNSimple, and other hosted DNS services

Name Type Value

Standard Zone File

For BIND ≥9.9.6, PowerDNS ≥4.0.0, NSD ≥4.0.1, Knot DNS ≥2.2.0


Legacy Zone File (RFC 3597 Syntax)

For BIND <9.9.6, NSD <4.0.1, Windows Server 2016






5. Monitor Your Domain (Optional)

Even if you publish a CAA record, a noncompliant certificate authority can ignore your CAA records. Use Cert Spotter to monitor Certificate Transparency logs so you'll be notified if this happens.