Only 1.56% of domains have CAA records. Without one, any certificate authority in the world is technically permitted to issue an SSL certificate for your domain — including compromised or rogue CAs.
What CAA records do
CAA (Certification Authority Authorisation) records are DNS entries that explicitly list which certificate authorities are allowed to issue certificates for your domain. When a CA receives a certificate request, they're required to check for CAA records first. If your domain specifies only Let's Encrypt, no other CA should issue for you.
This closes a specific attack vector: certificate misissuance. If an attacker can trick a CA into issuing a certificate for your domain, they can run a convincing HTTPS phishing site under your name.
What happens without it
- Any of 200+ certificate authorities can issue certificates for your domain without your knowledge
- Misissuance by a compromised CA is harder to detect and harder to revoke
- Enterprise security questionnaires are increasingly including CAA as a DNS security control
- CAA is a low-effort, high-signal control — its absence suggests DNS hygiene hasn't been reviewed
What fixing it involves
CAA is a DNS record added at your registrar or DNS provider. One record per authorised CA:
yourdomain.com. CAA 0 issue "letsencrypt.org"
If you use Let's Encrypt, specify letsencrypt.org. If you use DigiCert, specify digicert.com. Add one record per CA you actually use. Check which CA issued your current certificate — that's your starting point.
What your domain scores right now
Run the free DomainScores check to see your current CAA grade alongside 34 other security checks — instant, no signup.
Don't want to do this yourself? Domain Fix from €1,197 — we add CAA records and fix every other failing check. Grade B+ guaranteed, or your money back.