CAA Records: Prevent Fraudulent SSL Certificates for Your Domain

The padlock icon in a browser address bar is supposed to tell visitors they are on the genuine, secure version of a website. But that padlock can be obtained for your domain by someone who does not own it — unless you have a CAA record in place to prevent it.

How SSL Certificates Are Issued

When a business wants an SSL certificate for their domain, they apply to a Certificate Authority (CA) — a trusted organisation that verifies domain ownership and issues certificates. Well-known CAs include Let’s Encrypt, DigiCert, Sectigo, Comodo, and many others.

There are hundreds of CAs recognised by web browsers. Any one of them can, in principle, issue an SSL certificate for your domain.

The verification process is supposed to prevent fraudulent issuance: before issuing a certificate, the CA confirms that the applicant controls the domain, usually via DNS validation or by placing a specific file on the web server. But these validation methods have been abused — and the sheer number of CAs means there are many points of potential failure.

When Certificate Issuance Goes Wrong

CA compromise. In 2011, two major CAs — Comodo and DigiNotar — were compromised by attackers who fraudulently issued hundreds of SSL certificates for domains including google.com, microsoft.com, and government sites. The DigiNotar breach was particularly serious: attackers used forged certificates in man-in-the-middle attacks that reportedly affected hundreds of thousands of Iranian internet users whose traffic was being intercepted. DigiNotar ultimately went bankrupt as a result.

Misissued certificates. In 2017, Symantec was found to have misissued large numbers of certificates due to policy failures. Browsers ultimately distrusted Symantec’s CA entirely, affecting thousands of websites that held valid Symantec certificates.

These incidents exposed a fundamental weakness: if any CA in the browser’s trusted list issues fraudulent certificates for your domain, your visitors can be served a convincing fake site with a valid padlock — and have no obvious way of knowing.

What Is a CAA Record?

A CAA (Certification Authority Authorisation) record is a DNS entry that specifies which CAs are permitted to issue SSL certificates for your domain.

For example, if you use Let’s Encrypt, you can add a CAA record saying: “Only Let’s Encrypt is allowed to issue certificates for yourcompany.co.uk.” Any attempt by another CA to issue a certificate for your domain will — if the CA follows the rules — be rejected.

A CAA record looks like this in DNS:

yourcompany.co.uk.  IN  CAA  0  issue  "letsencrypt.org"

To also protect subdomains:

yourcompany.co.uk.  IN  CAA  0  issuewild  "letsencrypt.org"

To specify who should be notified if an unauthorised issuance is attempted:

yourcompany.co.uk.  IN  CAA  0  iodef  "mailto:[email protected]"

Since September 2017, checking CAA records has been mandatory for all publicly trusted CAs under the CA/Browser Forum Baseline Requirements. All major CAs comply.

Important Caveats

CAA records are not a guarantee. They do not prevent a compromised CA from ignoring the rules, and they cannot stop a fraudulent certificate issued before your CAA record was added.

For stronger protection, Certificate Transparency (CT) logs — public records of all issued certificates — should also be monitored. Services like crt.sh allow you to search for all certificates ever issued for your domain. Monitoring for unexpected certificates is an additional layer of protection beyond CAA records alone.

What to Do Next

Find out which CA issues your current certificate. Click the padlock in your browser on your website to see the issuing CA.
Add a CAA record to your DNS specifying only your approved CA. This is done through your domain registrar or DNS provider — the same interface where you manage SPF or MX records.
Include all legitimate CAs you use. If you use Let’s Encrypt for your website but DigiCert for email certificates, include both.
Set up certificate monitoring. Use crt.sh or a monitoring service to receive alerts if new certificates are issued for your domain. Unexpected certificates are a potential sign of fraudulent issuance.
Pair with DNSSEC. DNSSEC protects the DNS layer that CAA records depend on — together they provide stronger protection against fraudulent certificate issuance.

CAA records are a brief DNS addition that cost nothing and take five minutes to set up. They are a meaningful layer of protection for your domain’s certificate infrastructure.

W3IT’s free security check checks whether your domain has a CAA record as part of a complete DNS security review. Run it now to see whether your certificate issuance is properly restricted.

More on Security

Concerned about your business security?

W3IT provides monitoring, support and practical security guidance for small businesses — wherever you are. Start with a free security check.

Book Free Security Check