CAA record builder

Pick the CAs you trust. We emit the CAA records to publish at your domain's apex.

Configuration

Domain

Publish at the apex (no subdomain). Subdomains inherit unless they have their own CAA records.

Allowed CAs

other CA

Wildcard policy

Reporting endpoint (optional)

CAs may post failure reports here when someone tries to get a cert they're not authorized to issue.

DNS records to publish

2 records

example.com	CAA	0 issue "letsencrypt.org"
example.com	CAA	0 issuewild ";"

Why CAA? Without it, ANY publicly-trusted CA can issue a cert for your domain to anyone who passes their (sometimes weak) validation. A CAA record narrows the allowed set to the CAs you actually use, and an iodef= reporting URL gets you notified when an unauthorized CA tries.