DNS & email authentication

CAA (Certificate Authority Authorization)

What a CAA record does, why it limits who can issue certificates for your domain, and how WebGuard reviews it.

Last updated June 9, 2026

What it is

A CAA record is a DNS entry that names which certificate authorities are permitted to issue TLS certificates for your domain. Compliant authorities check it before issuing, and refuse if they are not listed.

Why it matters

Without a CAA record, any public certificate authority can issue a certificate for your domain, which widens the surface for mis-issuance or an attacker obtaining a certificate they shouldn't. A CAA record narrows issuance to the authorities you actually use, a low-effort hardening step that closes a real gap.

How WebGuard checks it

WebGuard performs a read-only DNS lookup for your domain's CAA record and reports whether issuance is restricted. It inspects DNS only and changes nothing.

A sensible starting configuration:

your-domain.com. CAA 0 issue "letsencrypt.org"

Check this on your own domain

WebGuard reviews this alongside the rest of your external exposure in a single read-only pass. Run a free review, or see everything it covers.