CAA Records: a beginner's guide
Check which CAs can issue certificates
CAA records: the bouncer's clipboard for SSL certificates
A CAA record ("Certification Authority Authorization" record) is a DNS entry that tells the world's certificate authorities (CAs) which of them are allowed to issue SSL/TLS certificates for your domain. Without a CAA record, the rule is essentially "any CA in the world can issue a certificate for any domain, as long as the requester can prove control." A CAA record narrows that rule to "only these specific CAs can issue certificates for this domain — every other CA must refuse." The CAA standard was published in 2013 and became mandatory for all certificate authorities to honor in September 2017, after a series of high-profile certificate-mis-issuance incidents made the industry decide that something stricter was needed.
You should care because without a CAA record, any certificate authority in the world can be tricked into issuing a valid SSL certificate for your domain to someone who is not you. This has actually happened, repeatedly, to high-value targets. Once an attacker has a valid certificate for your domain, they can mount man-in-the-middle attacks, host phishing sites under your name without browser warnings, and impersonate you in ways that are essentially undetectable to ordinary users. A CAA record is the single cheapest defense against this entire category of attack: it costs nothing, it takes one DNS edit, and it dramatically reduces the surface area for cert mis-issuance against your domain.
The four things every CAA record check looks at:
Does a CAA record exist? Most domains still don't have one. Adding one is the single biggest improvement in this area.
Which CAs are allowed? A typical entry might say `0 issue "letsencrypt.org"` (only Let's Encrypt may issue) or `0 issue "digicert.com"`. You can list multiple CAs.
Is wildcard issuance restricted separately? A `0 issuewild` directive controls who can issue wildcard certificates (`*.example.com`), separately from regular certificates.
Is there an `iodef` directive for incident reporting? This optional field tells CAs where to report attempted mis-issuance via email, so you find out the moment someone tries.
Three questions a CAA record check answers:
Have I locked down which certificate authorities can issue certificates for my domain?
If a CA were tricked into issuing a fraudulent certificate for me, would I find out?
Is the CA I actually use for my real certificates listed in my CAA record? (If not, my next renewal will silently fail.)
The cost of skipping CAA records is leaving the door open to a class of attack that is rare but devastating when it happens. The fix is one DNS edit. The defense ratio — minutes of work to dramatic security improvement — is about as good as it gets in security operations. CAA records are defined in RFC 8659.
The CAA Records endpoint, in plain language
In one sentence: Check which CAs can issue certificates
Retrieves CAA (Certificate Authority Authorization) records that specify which certificate authorities are permitted to issue certificates for a domain. Supports the official internet standard tags including issue, issuewild, and iodef, plus the official internet standard extensions for accounturi and validationmethods.
Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.
What is actually happening when you call it
Here's what's actually happening behind the scenes when you call this endpoint:
Queries CAA records and parses the issue, issuewild, and iodef tags. Identifies authorized CAs by matching against known identifiers (Let's Encrypt, DigiCert, Sectigo, Amazon ACM, Google Trust Services, Cloudflare, and others). Reports wildcard certificate policies, missing iodef incident contacts, and recommends issuewild policies. Checks both the domain and parent domains for inherited policies per the official internet standard tree-climbing rules.
If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.
Why this specific tool matters
Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the CAA Records tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.
Without CAA records, any CA can issue certificates for your domain. CAs are required to check CAA before issuance (the official internet standard), and a SERVFAIL on CAA lookup blocks issuance entirely — making CAA + DNSSEC (Domain Name System Security Extensions) a powerful defense against unauthorized certificates and man-in-the-middle attacks.
Picture this in real life. Imagine a security engineer. Here's the situation they're walking into: Verify that CAA records restrict certificate issuance to your organization's approved CAs only. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the CAA Records tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.
Three questions this tool answers in plain English. If any of these have ever crossed your mind, the CAA Records tool is built for you:
Is my domain pointing to the right place right now?
Did the DNS change I just made actually take effect everywhere in the world?
Is anything in my DNS misconfigured in a way that could break email or break the website?
You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.
Who gets the most out of this. Founders running their own infrastructure, marketers coordinating launches, IT admins inheriting domains from a former employee, and ops engineers troubleshooting live outages. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.
What happens if you skip this entirely. Skip it and you're flying blind on the one piece of config that decides whether your website and email work at all. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.
Available on the free plan. The technical details: `GET /v1/dns/caa`.
When would I actually use this?
If you're still on the fence about whether the CAA Records tool belongs in your toolbox, this section is for you. Below you'll meet three real people — a security engineer and a compliance officer — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.
Story 1: Certificate Security Audit
Imagine you're a security engineer. Verify that CAA records restrict certificate issuance to your organization's approved CAs only.
Why it matters: Prevent unauthorized certificate issuance that could enable impersonation attacks.
Story 2: Compliance Verification
Imagine you're a compliance officer. Document CAA configuration as part of SOC 2 (Service Organization Control 2) or ISO 27001 (ISO/IEC 27001 information security management standard) evidence collection.
Why it matters: Demonstrate certificate issuance controls for compliance audits.
Story 3: Certificate Transparency Cross-Reference
Imagine you're a security engineer. Cross-reference CAA policy with Certificate Transparency logs to detect certificates issued by unauthorized CAs that violate your domain's authorization policy.
Why it matters: Detect policy violations and potential man-in-the-middle attacks from unauthorized certificate issuance.
Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the CAA Records tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:
Right before launching a new website or migrating to a new host.
After making any DNS change, to confirm the new settings are live everywhere.
When customers report that your site or email "just stopped working" out of nowhere.
As a recurring monthly health check to catch silent misconfigurations early.
If you can see yourself in even one of those bullets, the CAA Records tool will pay for itself the first time you use it.
Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the CAA Records tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.
The easiest way: just ask your AI assistant
If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:
"Use the CAA Records tool to check example.com and explain anything that looks wrong in plain language."
The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.
MCP (Model Context Protocol) access is free on every plan, including the free tier. One API key works for both REST and AI — you do not have to choose.
The technical way: call it from code
If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.
# Replace edns_live_YOUR_KEY with your real API key from the dashboard
curl -H "Authorization: Bearer edns_live_YOUR_KEY" \
"https://api.edgedns.dev/v1/dns/caa?domain=example.com"What you need to provide
There's just one piece of information you need to provide. The table below explains exactly what it is and what a real value looks like.
| Field | Type | Required? | What it means | Example |
|---|---|---|---|---|
domain | string | Yes | The domain to check CAA records for | example.com |
What you get back
When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.
| Field | Type | What you'll see in it |
|---|---|---|
domain | string | The queried domain |
found | boolean | Whether CAA records were found (at this domain or parent) |
effective_domain | string | The domain where CAA records were found (may differ from queried domain due to the official internet standard tree-climbing) |
is_inherited | boolean | Whether CAA policy is inherited from a parent domain |
records | array | CAA records with flags, tag, value, issuer_domain, accounturi, validationmethods, and critical flag (the official internet standard Section 4) |
allowed_issuers | array | List of authorized certificate authorities |
has_iodef | boolean | Whether iodef incident reporting is configured |
iodef_targets | array | Incident reporting targets (email or URL (web address)) |
allows_wildcard | boolean | Whether wildcard certificate issuance is permitted. False when issuewild ";" denies all wildcards (the official internet standard Section 4.2) |
recommendations | array | Actionable recommendations for improving CAA configuration |
servfail | boolean | True when DNS (Domain Name System) SERVFAIL was encountered. Per the official internet standard, CAs must not issue certificates in this case (optional, only present on SERVFAIL) |
Words you might be wondering about
If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.
DNSSEC (Domain Name System Security Extensions) — A way to digitally sign DNS records so attackers can't trick your computer into looking up the wrong server.
RFC (Request for Comments) — The official internet standards documents. When someone says 'RFC 8484' they mean a specific numbered standards document — in that case, the one defining DNS over HTTPS.
SOC 2 (Service Organization Control 2) — A widely used security audit. Proves to customers that you handle their data responsibly.
ISO 27001 (ISO/IEC 27001 information security management standard) — An international certification that shows your company has a documented, working security program.
Need Programmatic Access?
Automate domain intelligence with 100+ API endpoints and a free MCP server for AI integration.