All fix guides

How to add a CAA record

Restrict which certificate authorities are allowed to issue certificates for your domain.

What it is

A CAA (Certification Authority Authorization) DNS record names the CAs permitted to issue certificates for your domain.

Why it matters

Without CAA, any certificate authority can issue a certificate for your domain, widening the door to mis-issuance and impersonation.

How to fix it

  1. 1Identify which CA(s) you actually use (e.g. Let's Encrypt, Sectigo, DigiCert).
  2. 2Publish CAA records on your root domain, e.g. `0 issue "letsencrypt.org"` and `0 issuewild ";"` to block wildcard issuance if unused.
  3. 3Add `0 iodef "mailto:security@yourdomain.com"` so you're notified of violations.
  4. 4Double-check you've listed every CA you use, or renewals will fail.
  5. 5Re-scan to confirm CAA is published.

Not sure if your site is affected?

Run a free scan — or let us fix it all for you.

Privacy and cookie preferences

We use strictly necessary cookies to run the site. Analytics, marketing, and AI assistant telemetry are optional and disabled until you choose. You can update consent any time in Cookie Settings.

Some infrastructure cookies, such as load balancer routing cookies, are essential for service delivery. Details: Cookie Policy