caa-missing
CAA record missing
A CAA record is a public list of which certificate authorities are allowed to issue HTTPS certificates for your domain. Without it, any of the world's public certificate authorities could issue one in your name.
What this means in plain English
Every HTTPS certificate (the lock icon next to your address in the browser) is issued by a certificate authority — a company trusted by browsers to confirm that the holder of a certificate really owns the domain. There are roughly 100 public certificate authorities worldwide that browsers trust by default.
Without a CAA record on your domain, any of those 100 authorities
can issue a certificate for your-domain.example to whoever passes
their domain-control check. With a CAA record, you publicly state
“only these specific authorities may issue certificates for me” —
every well-behaved authority must check the record before issuing,
and refuse if they’re not on the list.
Why it matters to your business
The risk this prevents is one of the more dramatic ones in infrastructure security: a successful issuance of a fake HTTPS certificate for your domain to someone who isn’t you. With such a certificate, an attacker positioned on a network can serve a perfect HTTPS impersonation of your website — same domain in the address bar, same lock icon — and capture login credentials, payment details, or customer correspondence.
This kind of attack is rare but high-impact when it happens. It tends to follow a brief breach of one of your control surfaces — a hijacked DNS account, a weak password on a hosting panel, a compromised email inbox. The attacker uses the brief access to pass an authority’s validation, gets a real certificate, and then keeps it for months even after you’ve fixed the original break-in.
A CAA record is a one-line static defence. The cost is essentially zero, the risk it removes is real.
How to fix it
The standard pattern: figure out which certificate authority you actually use (most small businesses use Let’s Encrypt — it’s the default for almost every modern hosting platform), then publish a short list in your DNS that names just that authority.
A typical record published in the DNS settings for your domain:
your-domain.example. CAA 0 issue "letsencrypt.org"
your-domain.example. CAA 0 issuewild "letsencrypt.org"
your-domain.example. CAA 0 iodef "mailto:security@your-domain.example"
The first two lines authorise Let’s Encrypt to issue certificates
(issue for normal certificates, issuewild for wildcard ones). If
you don’t use wildcards, replace letsencrypt.org in the second line
with ";" — that explicitly forbids wildcards.
The third line is a reporting address. Authorities that detect suspicious issuance attempts will email this address.
A nice property of CAA: it’s inherited downward. A record on your
main domain covers shop.your-domain.example,
api.your-domain.example, and any other subdomain unless they
publish their own record. So you only need to set this once at the
top level.
After publishing, the free checker linked below confirms it.
Further reading
- SSLMate CAA record helper — generates the exact entries for your situation.
- Let’s Encrypt CAA documentation
- RFC 8659 — CAA specification