Defaults.Exposed › Setup › CAA

How to set up a CAA record on GoDaddy

Add a CAA record in GoDaddy to control which certificate authorities are allowed to issue SSL certificates for your domain.

Why this matters to your business

A CAA record names which certificate authorities (the companies that issue the SSL/TLS certificates behind the padlock in a browser) are allowed to issue a certificate for your domain. Any authority that follows the rules must check this record first and refuse the request if it isn’t on the list.

In plain terms: without a CAA record, any of hundreds of certificate authorities worldwide could be tricked or make a mistake and hand someone a valid certificate for your domain — which an attacker could use to impersonate your website convincingly. A CAA record shuts that door by saying only these authorities, nobody else. It’s free and takes a few minutes.

Confirm GoDaddy runs your DNS

This only works if GoDaddy is answering DNS for your domain. GoDaddy sells domains and also hosts DNS, but the two are separate — your domain’s nameservers must point at GoDaddy for records you add here to be live. Sign in, open your domain, and check that the nameservers are GoDaddy’s own. If they point somewhere else, add the CAA record at whichever provider runs your DNS instead.

Know your certificate authority first

Before you add anything, find out which authority issues your certificate, or you risk locking out your own provider. Common values:

• letsencrypt.org — Let’s Encrypt (used by most free and automated certificates)
• digicert.com — DigiCert
• sectigo.com — Sectigo
• globalsign.com — GlobalSign
• pki.goog — Google Trust Services
• amazon.com — Amazon (AWS Certificate Manager)

If you’re not sure, ask whoever set up your hosting, or check the certificate in your browser (click the padlock, then view the certificate’s issuer).

Step-by-step on GoDaddy

1. Sign in to GoDaddy and open the Domain Portfolio (or My Products).
2. Find your domain and open its DNS management page (look for DNS or Manage DNS).
3. Under the records list, click Add (or Add New Record).
4. Set Type to CAA.
5. In the Name (or Host) field, enter: @ The @ means the root of your domain. Do not type your domain name in here.
6. Set Flags to: 0
7. Set Tag to: issue
8. In the Value field, enter your certificate authority’s identifier, for example: letsencrypt.org
9. Leave TTL on the default (1 hour is fine).
10. Click Save.

Allowing more than one certificate authority

Most domains use more than one authority over time — for example, a free certificate today and a paid one later, or a different one for a separate service. To allow several, add a separate CAA record for each one. They all use the same @ name, 0 flags, and issue tag — only the value changes:

• one record with value letsencrypt.org
• one record with value digicert.com

Together those say both of these authorities are allowed, no others. You do not combine them into a single record.

GoDaddy quirks people get wrong

• The biggest mistake is locking out your own authority. If you add a CAA record listing only digicert.com but your certificate actually renews through Let’s Encrypt, the next renewal will silently fail and your padlock can break weeks later. Always include every authority you genuinely use before you save.
• Name is @, not your domain. Typing your full domain name in the Name field creates the record in the wrong place. Use @ for the root.
• Flags is 0 for a normal record. The other value, 128, is a strict mode that makes a non-compliant authority refuse outright — only use it deliberately. For ordinary use, 0.
• Use the bare domain, not a URL. The value is letsencrypt.org, never https://letsencrypt.org and never www..
• Don’t add your own quotes. Enter the plain value; GoDaddy handles any quoting itself.
• Give it time. DNS changes can take a few minutes up to a couple of hours to take effect. Existing certificates keep working; CAA is only checked when a new one is issued or renewed.

Verify it worked

Once saved and propagated, run the free check on this site. It will tell you in plain language whether your CAA record is in place and which authorities you’ve allowed.

Done? Check your domain free to confirm it worked — and see your full grade across all 34 checks.