CAA Monitor
CAA records tell certificate authorities which CAs you actually trust to issue for your domain. The record is only useful if the CAs respect it — and they do, but only at issuance time. This check looks at the certificates already in our database (sourced from Certificate Transparency logs) and confirms each one was issued by a CA the policy permits. If you'd like a deeper dive on the record format itself, see our CAA records explainer.
What we check
We do a live DNS lookup for the zone's CAA records, parse them into issue, issuewild, and iodef directives, then walk the zone's currently-active certificates (those whose not_after is in the future). For each cert we pick the right directive set — issuewild for wildcard certs when published, otherwise issue — and check whether the cert's issuer is permitted.
Issuer matching is done by comparing the certificate's issuer organization name to the CAA value's domain. RFC 8657 parameters (letsencrypt.org;account=12345) are stripped before comparison. A small alias map covers cases where the CA's domain doesn't match the issuer name — for example, pki.goog maps to "Google Trust Services".
Why it matters
CAA exists to limit the blast radius of a compromised CA — if Let's Encrypt is the only authorized issuer, a rogue cert from another CA shouldn't even be issued in the first place. But CAA is only enforced at issuance, so an existing cert from a now-disallowed CA stays valid until it expires. This check surfaces those mismatches as a signal to investigate.
Status outcomes
A CAA record exists, and either there are no active certificates or every active certificate was issued by a permitted CA.
No CAA record is published. Any CA can issue certificates for the domain.
An active certificate exists that the CAA policy doesn't authorize — either the wrong CA issued it, or a deny-all policy (0 issue ";") is in effect while certs are still active.
How to fix
For a missing CAA record, decide which CAs you actually want to permit and publish a record like 0 issue "letsencrypt.org". Most DNS providers expose CAA as a record type in their UI.
If a non-compliant cert is flagged, investigate first — it may be a legitimate cert issued before the CAA policy was tightened, in which case waiting for it to expire (or revoking it) is enough. If the cert wasn't expected, treat it as a potential misissuance and contact the CA.