Adding a CAA Record

CAA (Certification Authority Authorization) records allow domain name owners to indicate to certificate authorities (CAs) whether they are authorized to issue digital certificates for their domain names, which reduces the risk of issuing unauthorized certificates.

Please refer to this document to learn about how CAA records work and their format.

To add a CAA record, perform the following operations:

  1. On the Domains page, click the domain where you wish to add a new record and then open the DNS tab.
  2. Select the DNS Records subtab.
  3. Click Add New DNS Record.
  4. Select the CAA DNS record type and specify the following DNS record properties:
    • In the Domain field, enter the host name for which you are creating this record. If you are creating this record for the host name that matches the name of your domain, leave the field empty.
    • In the Flag field, enter a flag.
    • In the Tag field, enter a tag.
    • In the Value field, enter a value for the tag.

    • TTL (Time To Live): Set how many seconds will elapse before the record is refreshed in the DNS cache. To set the TTL, choose between Default TTL and Custom. In the latter case, you must specify your own TTL for the record being created.

      Note: The TTL parameter can be edited later.

  5. Click Finish.

Examples of CAA records:

Domain name Flag Tag Value Description
example.com. 0 issue ca.example.net

This record indicates that only the CA identified by ca.example.net is authorized to issue certificates, both non-wildcard and wildcard ones, for example.com and its subdomains.

If you need to authorize several CAs, create a separate CAA record for each of them.
example.com. 0 issue ; This record indicates that no CA is authorized to issue certificates for example.com and its subdomains.
example.com. 0 issue ca1.example.net

These records indicate the following:

  • The CA identified by ca1.example.net is authorized to issue only non-wildcard certificates for example.com and its subdomains.
  • The CA identified by ca2.example.net is authorized to issue only wildcard certificates for example.com and its subdomains.
example.com. 0 issuewild ca2.example.net
example.com. 0 iodef mailto:domain-owner@example.com This record indicates that CAs can report invalid certificate requests to domain-owner@example.com.

© 2025 Ingram Micro, Inc. All Rights Reserved. Privacy Policy, Terms of Use and Legal

CloudBlue, an Ingram Micro business, uses cookies to improve the usability of our site. By continuing to use this site and/or logging in you are accepting the use of these cookies. For more information, visit our Privacy Policy.
I accept