CAA Policy Checker

A CAA record is how a domain says which certificate authorities are allowed to hand out certificates for it. CAA stands for Certification Authority Authorization. This tool finds the policy that actually applies to one exact name, follows how that name inherits its policy from parent domains, and then shows which authorities it lets issue normal and wildcard certificates. You get the records it found, the path it followed to find them, and the policy those records add up to.

How to check a CAA policy

Enter the exact hostname the certificate will cover. www.example.com can give a different answer from example.com, so use the real name from the certificate request. We ask a recursive resolver for the CAA record, follow an alias if one is in the way, and then keep walking up the original name until we hit the first policy.

Where the effective policy comes from

A name does not have to carry its own CAA record. If it has one, that wins. If it does not, the check moves to its parent, then the parent above that, and stops at the first policy it finds. So the policy that governs a certificate is often written a level or two up, not on the exact name.

www.example.comexample.comcomPolicy in effect
The check climbs from the exact name toward the root and uses the first CAA policy it finds.

One thing an alias does not do: a CNAME can send the lookup to an alias target, but the alias target's parent domains do not join the original name's inheritance path. The result lists every place we looked, so you can see which record set actually won instead of guessing.

Normal and wildcard certificates

issue covers normal certificates, the ones for a specific hostname. issuewild covers wildcard certificates, the ones that match a whole level like *.example.com. If a name has no issuewild record, wildcard requests fall back to the issue policy. If a policy has only issuewild and no issue, then CAA is not restricting normal certificates at all.

How to read CAA records

issueLets the named authority issue normal certificates for the name.
issuewildLets the named authority issue wildcard certificates for the name.
iodefA mail or web address where an authority can report a policy problem it runs into.
Empty issuerA value like CAA 0 issue ";" allows no one, which blocks that kind of issuance.
Critical flagIf a property is marked critical and an authority does not understand it, that authority must refuse to issue.

Several issue or issuewild records stack rather than compete. Every authority listed under that tag is allowed.

What this result does not promise

CAA is one permission gate in the process, not a list of certificates that already exist. This page does not read certificate history, contact an iodef address, or promise that an allowed authority will actually issue. That authority still has to confirm you control the domain and apply its own rules on top of the CAA answer.