DNS Spy DNS Spy
Features Pricing API Free Tools Learn Blog Contact
Log in
DNS Spy Logo

Free DNS CAA Record Validator

CAA Record

Validate your domain's DNS CAA record configuration, confirm which Certificate Authorities are authorized to issue SSL certificates, and identify misconfigurations before they become exploitable. No account needed. Results in seconds.

Enter your domain below to run a free CAA record lookup. The checker queries your authoritative nameservers directly and returns the full Certificate Authority Authorization configuration alongside a validation assessment.

CAA Record Checker

CAA Record Validation

CAA Record Checker And CAA Record Lookup

A CAA record checker does more than confirm whether a record exists. It tells you which CAs are explicitly authorized, whether wildcard certificates are separately controlled, and whether violation reporting is configured. Missing any of these three means your SSL certificate issuance is either uncontrolled, unmonitored, or both.

Running a CAA record lookup on a domain you manage confirms your current configuration matches your intent. Running one on a vendor or client domain confirms their certificate issuance is locked down. The check takes seconds and the gap it surfaces could take weeks to exploit if left unaddressed.

The CAA check above queries your authoritative nameservers directly and returns live data. Missing records are flagged. Unauthorized CAs are identified. caa certificate configuration gaps between nameservers are surfaced, which is one of the less visible but most dangerous misconfigurations to miss in a client audit.

What is a CAA Record

What are CAA Records?

A CAA record is a DNS record type that controls which Certificate Authorities are permitted to issue SSL and TLS certificates for your domain. Use the CAA checker above to see exactly which CAs are currently authorized and whether your configuration is complete.

Why CAA Records Matter

Since September 2017, all Certificate Authorities are required to check CAA records before issuing certificates. A domain without them is an open target. Specifically, missing CAA records expose your domain to:

  • Unauthorized certificate issuance by rogue or compromised CAs
  • Man-in-the-middle attacks using fraudulent certificates
  • Phishing attacks that rely on improperly issued SSL certificates
  • Domain hijacking attempts through certificate manipulation

How CAA Records Work

CAA records use three main property tags:

  • issue - Specifies which CAs can issue certificates for your domain
  • issuewild - Specifies which CAs can issue wildcard certificates (*.example.com)
  • iodef - Defines where violation reports should be sent (email or URL)

Example CAA records:

example.com.  3600  IN  CAA  0 issue "letsencrypt.org"
example.com.  3600  IN  CAA  0 issuewild "letsencrypt.org"
example.com.  3600  IN  CAA  0 iodef "mailto:security@example.com"

Running A Validation

How To Check CAA Records

To run a CAA record check on any domain, enter it in the validator above and click Validate CAA. The tool queries your nameservers, retrieves all published CAA records, and returns a full configuration report. No DNS access is required and nothing changes on your domain by running the check.

If you manage domains on behalf of clients, as most MSPs do, checking CAA records during onboarding and after any certificate or registrar change is standard practice. A CAA record check takes seconds and confirms that the previous administrator did not leave unauthorized CAs on the record, which is one of the more common and easily missed security gaps in inherited domain management.

Your CAA Record Changed. Did You Know?

This CAA checker shows you the current state of your Certificate Authority Authorization. DNS Spy monitors it around the clock and alerts your team the moment anything changes. A CAA record modification is one of the earliest indicators of a certificate hijacking attempt, and it is one of the hardest to catch without continuous monitoring.

Start 7-Day Free Trial
No credit card required • 7-day full Enterprise features available • Cancel anytime

CAA Record FAQ

Common Questions

What is a CAA record?
A CAA record is a DNS record type that restricts which Certificate Authorities can issue SSL and TLS certificates for your domain. Without one, any CA can technically issue a certificate for your domain. Use the caa checker above to see your current configuration and confirm it is set up correctly.
How do I check a CAA record for my domain?
Enter your domain in the caa record check tool above and click Validate CAA. The tool queries your authoritative nameservers and returns all active CAA records, including the issue, issuewild, and iodef tags, along with a validation assessment.
What does it mean if a domain has no CAA records?
No CAA records means any Certificate Authority is permitted to issue certificates for that domain. This is the default state and a known security gap. Adding at least one issue tag restricts issuance to your chosen CA and closes the door to unauthorized certificate requests from rogue or compromised CAs.
Can a CAA record block my own SSL certificate renewal?
Yes, if your current CA is not listed in your CAA records, they may be blocked from renewing your certificate. This is one of the most common CAA-related incidents. Before updating CAA records, confirm that all CAs you rely on for current and upcoming renewals are explicitly listed.
What is the difference between the issue and issuewild tags?
The issue tag controls which CAs can issue standard certificates. The issuewild tag controls which CAs can issue wildcard certificates (*.yourdomain.com). If you only have an issue tag and need wildcard certificates, some CAs may refuse the request. Both tags should be configured explicitly if your domain uses wildcards.
How often should I check CAA records?
At minimum, check CAA records after any registrar or nameserver change, after onboarding a new domain, and before any certificate renewal. For MSPs managing client domains, CAA record validation should be a standard step in both domain audits and incident response. DNS Spy automates this monitoring so you do not have to remember to check manually.

Best Practices for CAA Records

  • Always specify at least one authorized CA using the issue tag
  • Use separate issuewild tags if you need wildcard certificates
  • Configure iodef notifications to monitor unauthorized certificate requests
  • Regularly validate your CAA records using this tool to ensure proper configuration
  • Update CAA records when changing Certificate Authorities

Learn More About CAA Records

For more detailed information about CAA records and DNS security:

One Changed Record. One Fraudulent Certificate.

DNS Spy monitors your CAA records around the clock and alerts you the moment anything changes. Start your free 7-day trial with full Enterprise access.

Start Free Trial
No credit card required • 7-day full Enterprise features available • Cancel anytime
DNS Spy

Features

Resources

Company