Defaults.Exposed › Glossary › CAA record

CAA record

Also known as: Certification Authority Authorization

A short rule that names which companies are allowed to issue the security certificate for your website — blocking anyone else from issuing one in your name.

What it is

The padlock in a browser comes from a “security certificate” issued for your domain by a trusted certificate company. By default, hundreds of these companies worldwide are technically allowed to issue a certificate for your domain. A CAA record is a short note attached to your domain that says, in effect, “only these named companies may issue certificates for us — ignore requests from anyone else.”

Why it matters to your business

If any certificate company can issue a padlock for your domain, then a mistake or a trick at any one of them can hand an attacker a genuine-looking certificate for your site. With that, they can run a convincing fake of your website that browsers still show as “secure.” A CAA record shrinks that risk down to the one or two companies you actually use, so a slip-up anywhere else can’t be turned against you.

How to tell / what to do

The free check shows whether you have a CAA record and which certificate companies it permits. If it’s missing, our CAA fix guide explains how to add one that lists your current certificate provider. It’s a small text entry at your domain provider, costs nothing, and is invisible to your visitors.

Want to fix this on your own domain? See the free guide →