What it is
A CAA record is a DNS entry that names which certificate authorities are permitted to issue TLS certificates for your domain. Compliant authorities check it before issuing, and refuse if they are not listed.
Why it matters
Without a CAA record, any public certificate authority can issue a certificate for your domain, which widens the surface for mis-issuance or an attacker obtaining a certificate they shouldn't. A CAA record narrows issuance to the authorities you actually use, a low-effort hardening step that closes a real gap.
How WebGuard checks it
WebGuard performs a read-only DNS lookup for your domain's CAA record and reports whether issuance is restricted. It inspects DNS only and changes nothing.
A sensible starting configuration:
your-domain.com. CAA 0 issue "letsencrypt.org"