CAA record

A CAA (Certification Authority Authorization) record is a DNS entry listing exactly which certificate authorities are allowed to issue TLS certificates for your domain. With it in place, a CA that is not on your list will refuse to issue — which blocks an attacker who tricks some other CA into minting a cert for your name. Cheap, fast, and high-value.