Defaults.Exposed › Setup › CAA

How to set up a CAA record on Cloudflare

Add a CAA record in Cloudflare to control which certificate authorities are allowed to issue SSL certificates for your domain.

Why this matters to your business

A CAA record names which certificate authorities (the companies that issue the SSL/TLS certificates behind the padlock in a browser) are allowed to issue a certificate for your domain. Any authority that follows the rules must check this record first and refuse the request if it isn’t on the list.

In plain terms: without a CAA record, any of hundreds of certificate authorities worldwide could be tricked or make a mistake and hand someone a valid certificate for your domain — which an attacker could use to impersonate your website convincingly. A CAA record shuts that door by saying only these authorities, nobody else. It’s free and takes a few minutes.

Confirm Cloudflare runs your DNS

This only works if Cloudflare is answering DNS for your domain. Cloudflare is your DNS host, and its DNS is only live when your domain’s nameservers point to the Cloudflare nameservers shown in your dashboard. Open your domain in Cloudflare and check the Overview page to confirm Cloudflare is active. If your nameservers point elsewhere, add the CAA record at whichever provider runs your DNS instead.

Know your certificate authority first

Before you add anything, find out which authority issues your certificate, or you risk locking out your own provider. Common values:

• letsencrypt.org — Let’s Encrypt (used by most free and automated certificates)
• digicert.com — DigiCert
• sectigo.com — Sectigo
• globalsign.com — GlobalSign
• pki.goog — Google Trust Services
• amazon.com — Amazon (AWS Certificate Manager)

A Cloudflare note: if you use Cloudflare’s own SSL (the proxied orange-cloud setup), Cloudflare issues certificates through several authorities on your behalf — so make sure any CAA record you add still allows those, or let Cloudflare manage CAA for you. If you’re unsure, ask whoever set up your hosting, or check the certificate in your browser (click the padlock, then view the certificate’s issuer).

Step-by-step on Cloudflare

1. Sign in to Cloudflare and select your domain.
2. In the left-hand menu, go to your DNS settings (look for DNS / Records).
3. Click Add record.
4. Set Type to CAA.
5. In the Name field, enter: @ The @ means the root of your domain. Cloudflare appends the domain for you, so do not type your domain name after it.
6. Cloudflare shows the CAA fields as friendly menus. Set them as follows:
   • Flags: 0
   • Tag: choose Only allow specific hostnames (this is the issue tag)
   • CA domain name (the value): letsencrypt.org
7. Leave TTL on Auto.
8. Click Save.

Allowing more than one certificate authority

Most domains use more than one authority over time — for example, a free certificate today and a paid one later, or a different one for a separate service. To allow several, add a separate CAA record for each one. They all use the same @ name, 0 flags, and issue tag — only the CA domain value changes:

• one record with value letsencrypt.org
• one record with value digicert.com

Together those say both of these authorities are allowed, no others. You do not combine them into a single record.

Cloudflare quirks people get wrong

• The biggest mistake is locking out your own authority. If you add a CAA record listing only digicert.com but your certificate actually renews through Let’s Encrypt, the next renewal will silently fail and your padlock can break weeks later. Always include every authority you genuinely use before you save.
• Watch out for Cloudflare’s own SSL. If your traffic runs through Cloudflare (orange cloud), Cloudflare needs to be able to obtain edge certificates. Adding a CAA record that excludes the authorities Cloudflare uses can break that — when in doubt, allow Let’s Encrypt and Google Trust Services (pki.goog) alongside your own, or leave CAA to Cloudflare.
• Name is @, not your domain. Use @ for the root; Cloudflare adds the domain itself.
• Tag wording differs. Cloudflare labels the issue tag as Only allow specific hostnames in its menu. That is the right choice for normal use.
• Flags is 0 for a normal record. The other value, 128, is a strict mode — only use it deliberately.
• Use the bare domain, not a URL. The value is letsencrypt.org, never https://letsencrypt.org and never www..
• No proxy on a CAA record. CAA is a pure DNS record — there is no orange/grey cloud toggle to worry about here.
• Give it time. DNS changes can take a few minutes up to a couple of hours to take effect. Existing certificates keep working; CAA is only checked when a new one is issued or renewed.

Verify it worked

Once saved and propagated, run the free check on this site. It will tell you in plain language whether your CAA record is in place and which authorities you’ve allowed.

Done? Check your domain free to confirm it worked — and see your full grade across all 34 checks.