Security
SecurityLow

CAA Record

Checks DNS for a CAA record — restricts which CAs can issue certs for your domain.

What this check measures

We query DNS CAA records. A CAA record says "only these CAs may issue for this domain". Without it, any compromised CA could issue a valid cert for your domain and anyone could MITM your users.

Why it matters

CAA is a belt-and-suspenders defense against CA compromise (rare but real — DigiNotar in 2011, WoSign in 2016). Setting it costs nothing and prevents entire classes of attack.

search

How our audit detects it

DNS CAA lookup on domain apex. Check for `0 issue "letsencrypt.org"` or similar constraint.

Typical findings

  • error_outlineNo CAA record — any CA worldwide may issue.
  • error_outlineCAA allows only an unused CA by mistake, blocking your real CA.

How to fix

Add a CAA record naming your CA: `0 issue "letsencrypt.org"` (adjust for your actual cert provider). Also add an `iodef` entry so CAs report attempted issuance.

Frequently asked questions

Can I list multiple CAs?expand_more
Yes — one CAA record per allowed CA. Common to list two (primary + backup).

Want this checked on your site?

Pantra runs the full audit (SEO, Security, GEO, Performance, Schema, Technical, Images) in 10 seconds and generates stack-specific fix prompts.

Scan my site

Related checks

Security

HTTPS Enabled

Checks that the site serves over HTTPS and redirects HTTP to HTTPS.

Security

TLS Version

Checks that the server uses TLS 1.2 or higher — older versions are broken.

Security

Mixed Content

Checks for HTTP resources loaded on HTTPS pages — browsers block or warn.

Security

SSL Certificate

Checks that the SSL certificate is valid, not expired, and not expiring soon.

Learn more in the Glossaryarrow_forward