Free Tool
CAA Record Checker
Check whether your DNS CAA records authorize only the certificate authorities your domain actually uses.
Sign in with Google or GitHub to run the scan. Start with a free scan.
What this tool checks
This page uses ZeriFlow's deterministic website security engine and focuses the guidance on the configuration area above. For the full report, run a complete free security scan.
Key Checks
Authorized Issuers
Checks which certificate authorities are allowed to issue certificates.
Wildcard Policy
Reviews issuewild rules for wildcard certificate authorization.
Reporting Contact
Highlights optional iodef contact settings for CA incident reporting.
Renewal Safety
Explains how to avoid blocking your real certificate renewal process.
Recommended Baseline
Issue
Authorize only the certificate authorities your team uses.
Wildcard
Add issuewild only if wildcard certificates are required.
Review
Revisit CAA records when changing hosting, CDN, or certificate providers.
Testing
Confirm renewal succeeds after publishing stricter CAA records.
FAQ
What is a CAA record?
A CAA record is a DNS record that tells certificate authorities which providers are allowed to issue certificates for your domain.
Do I need CAA records?
CAA records are a useful domain hardening control. They reduce the chance of unintended certificate issuance by providers you do not use.
Can I use multiple CAA records?
Yes. You can authorize multiple certificate authorities when your organization uses more than one provider.
Will CAA break certificate renewal?
It can if the record does not authorize your actual certificate provider. Always confirm your CA before enforcing CAA.
Need the full security picture?
ZeriFlow combines deterministic website checks across headers, TLS, DNS, cookies, and email security with monitoring, reporting, and AI-powered developer workflows where implemented.