Defaults.Exposed › Setup › CAA

How to set up a CAA record on Namecheap

Add a CAA record in Namecheap to control which certificate authorities are allowed to issue SSL certificates for your domain.

Why this matters to your business

A CAA record names which certificate authorities (the companies that issue the SSL/TLS certificates behind the padlock in a browser) are allowed to issue a certificate for your domain. Any authority that follows the rules must check this record first and refuse the request if it isn’t on the list.

In plain terms: without a CAA record, any of hundreds of certificate authorities worldwide could be tricked or make a mistake and hand someone a valid certificate for your domain — which an attacker could use to impersonate your website convincingly. A CAA record shuts that door by saying only these authorities, nobody else. It’s free and takes a few minutes.

Confirm Namecheap runs your DNS

This only works if Namecheap is answering DNS for your domain. The records below go in Advanced DNS, which is only live when your domain uses Namecheap BasicDNS (or PremiumDNS). Sign in, open Domain List, click Manage on your domain, and check that the nameservers are set to Namecheap. If your nameservers point elsewhere, add the CAA record at whichever provider runs your DNS instead.

Know your certificate authority first

Before you add anything, find out which authority issues your certificate, or you risk locking out your own provider. Common values:

• letsencrypt.org — Let’s Encrypt (used by most free and automated certificates)
• digicert.com — DigiCert
• sectigo.com — Sectigo
• globalsign.com — GlobalSign
• pki.goog — Google Trust Services
• amazon.com — Amazon (AWS Certificate Manager)

If you’re not sure, ask whoever set up your hosting, or check the certificate in your browser (click the padlock, then view the certificate’s issuer).

Step-by-step on Namecheap

1. Sign in to Namecheap and open Domain List.
2. Click Manage next to your domain.
3. Open the Advanced DNS tab.
4. Under Host Records, click Add New Record.
5. Set the record Type to CAA Record.
6. In the Host field, enter: @ The @ means the root of your domain. Do not type your domain name here.
7. In the Flag field, enter: 0
8. In the Tag field, choose: issue
9. In the Value (CA domain) field, enter your certificate authority’s identifier, for example: letsencrypt.org
10. Leave TTL on Automatic.
11. Click the green tick to save, then Save All Changes if prompted.

Allowing more than one certificate authority

Most domains use more than one authority over time — for example, a free certificate today and a paid one later, or a different one for a separate service. To allow several, add a separate CAA record for each one. They all use the same @ host, 0 flag, and issue tag — only the value changes:

• one record with value letsencrypt.org
• one record with value digicert.com

Together those say both of these authorities are allowed, no others. You do not combine them into a single record.

Namecheap quirks people get wrong

• The biggest mistake is locking out your own authority. If you add a CAA record listing only digicert.com but your certificate actually renews through Let’s Encrypt, the next renewal will silently fail and your padlock can break weeks later. Always include every authority you genuinely use before you save.
• Host is @, not your domain. Typing your full domain name in the Host field creates the record in the wrong place. Use @ for the root.
• Flag is 0 for a normal record. The other value, 128, is a strict mode that makes a non-compliant authority refuse outright — only use it deliberately. For ordinary use, 0.
• Use the bare domain, not a URL. The value is letsencrypt.org, never https://letsencrypt.org and never www..
• Pick the CAA type, not TXT. Namecheap has a dedicated CAA Record type — use it rather than trying to hand-write a CAA into a TXT record.
• Give it time. DNS changes can take a few minutes up to a couple of hours to take effect. Existing certificates keep working; CAA is only checked when a new one is issued or renewed.

Verify it worked

Once saved and propagated, run the free check on this site. It will tell you in plain language whether your CAA record is in place and which authorities you’ve allowed.

Done? Check your domain free to confirm it worked — and see your full grade across all 34 checks.