All fix guides
How to add a CAA record
Restrict which certificate authorities are allowed to issue certificates for your domain.
What it is
A CAA (Certification Authority Authorization) DNS record names the CAs permitted to issue certificates for your domain.
Why it matters
Without CAA, any certificate authority can issue a certificate for your domain, widening the door to mis-issuance and impersonation.
How to fix it
- 1Identify which CA(s) you actually use (e.g. Let's Encrypt, Sectigo, DigiCert).
- 2Publish CAA records on your root domain, e.g. `0 issue "letsencrypt.org"` and `0 issuewild ";"` to block wildcard issuance if unused.
- 3Add `0 iodef "mailto:security@yourdomain.com"` so you're notified of violations.
- 4Double-check you've listed every CA you use, or renewals will fail.
- 5Re-scan to confirm CAA is published.
Not sure if your site is affected?
Run a free scan — or let us fix it all for you.