What is a CAA record?

A CAA record specifies which certificate authorities (CAs) are permitted to issue SSL/TLS certificates for a domain. If no CAA record exists, any CA can issue a certificate.

CAA Record Lookup

Enter a domain to view its CAA records and which CAs are authorized to issue SSL certificates.

Domain Name

Server processing — your query is handled securely on our servers.

How to use CAA Record Lookup

The CAA Lookup retrieves the Certification Authority Authorization records published in a domain’s DNS, which declare exactly which certificate authorities are permitted to issue certificates for that domain. CAA records are a powerful safeguard against mis-issuance: a compliant CA must refuse to issue a certificate if the domain’s CAA records do not authorise it, closing off a whole class of attacks where a rogue or tricked CA issues a certificate for a domain it should not. Use this tool to confirm your CAA policy is in place or to debug why a CA is refusing to issue.

Enter the domain whose CAA policy you want to inspect.
Click Lookup to fetch its CAA records from DNS.
Read the issue and issuewild tags listing authorised CAs.
Confirm the CA you intend to use is included.
Check the iodef tag for the contact alerted on violations.

What CAA records contain

A CAA record pairs a tag with a value. The issue tag names a CA allowed to issue standard certificates; issuewild names a CA allowed to issue wildcard certificates; and iodef gives a URL or mailbox where a CA can report an attempted violation. A domain can list several CAs, and an empty issue value of ";" blocks all issuance. Because CAA is checked at issuance time, a record that omits your chosen CA will cause certificate requests to fail — exactly the symptom this lookup helps you diagnose.

CAA tags
Tag	Meaning
issue	CA allowed to issue standard certificates
issuewild	CA allowed to issue wildcard certificates
iodef	Where to report a policy violation

Using CAA without locking yourself out

CAA is opt-in: a domain with no CAA records lets any public CA issue, which is the historic default. Adding records tightens that, but you must include every CA you actually use — including any behind a CDN or a managed certificate service, which often issue on your behalf. Forgetting one is the classic mistake that breaks automated renewals. Inheritance also matters: CAA checks walk up from the exact name to the parent domain, so a record at the apex protects subdomains unless overridden. Review your records whenever you change certificate providers.

Glossary

CAA record: A DNS record declaring which CAs may issue certificates for a domain.
issue tag: A CAA tag authorising a CA to issue standard certificates.
issuewild tag: A CAA tag authorising a CA to issue wildcard certificates.
iodef: A CAA tag giving a contact for reporting issuance violations.
Mis-issuance: When a CA issues a certificate it should not have, which CAA helps prevent.

Frequently Asked Questions

Free · No spam

Get weekly tool tips & updates

New tools, power-user tips, and productivity hacks — delivered free every Friday.

No spam, ever. Unsubscribe with one click.

Why use CAA Record Lookup?

Real-time DNS lookups using live resolver queries
Supports IPv4 and IPv6 addresses
No software to install — runs entirely in the browser
Results include TTL values and record priority

Common use cases

Verify DNS propagation after updating nameservers
Check MX records when troubleshooting email delivery
Look up SPF/DKIM/DMARC records for email security audits
Test whether a SSL certificate is valid and up to date
Find the IP address behind a domain name

Related Network & DNS

SSL Certificate Checker

Check any website's SSL/TLS certificate validity, issuer, expiry date, and days remaining. Instant SSL verification.

DNS Lookup Tool

Look up DNS records for any domain — A, AAAA, MX, NS, TXT, CNAME, SOA, and CAA records. Free, instant results pulled from authoritative nameservers.

TXT Record Lookup

Look up TXT records for any domain. View SPF, DMARC, DKIM, and domain-verification TXT records instantly to debug email and ownership setup.

DNS Propagation Checker

Check if your DNS changes have propagated worldwide. Test A, MX, and NS records across 8 global DNS servers to confirm updates are live everywhere.

What Is My IP Address?

Instantly find your public IP address. Shows your IPv4 address as seen by websites and servers, plus quick details about your connection.

HTTP Headers Checker

View HTTP response headers for any URL. Check status codes, security headers, caching, redirects, and server details instantly. Free and private.

Explore all Network & DNS.