CAA Record Checker
Look up any domain's CAA records and see exactly which certificate authorities are allowed to issue certificates — including wildcard rules and incident reporting.
What is a CAA record?
A CAA (Certification Authority Authorization) record lists which certificate authorities are allowed to issue SSL/TLS certificates for your domain. When a CA receives a request, it checks your CAA record first — if its own name is not listed, it refuses to issue. This stops an untrusted or compromised CA from minting certificates for your domain.
Each record has three parts: a flags byte, a property tag and a value. The common tags are issue (which CAs may issue certificates), issuewild (which may issue wildcard certificates) and iodef (where to report policy violations). CAs also climb the DNS tree, so a record on the parent domain applies to subdomains that have none of their own.