What Is CAA Record?
A CAA (Certificate Authority Authorization) record specifies which certificate authorities (CAs) are allowed to issue SSL/TLS certificates for a domain. It's a security measure that prevents unauthorized CAs from issuing certificates for your domain.
Why It Matters
CAA records are a security feature that prevents unauthorized certificate authorities from issuing SSL certificates for your domain. Without CAA, any CA could potentially issue a certificate — CAA restricts this to only the CAs you approve.
For HTTPS domain forwarding, this matters because Domain Forward needs to provision SSL certificates for your domain. If you have a restrictive CAA record that doesn’t include our CA, certificate provisioning will fail.
How It Works
example.com CAA 0 issue "letsencrypt.org"
example.com CAA 0 issue "digicert.com"
example.com CAA 0 iodef "mailto:admin@example.com"- issue — which CAs can issue regular certificates
- issuewild — which CAs can issue wildcard certificates
- iodef — where to send violation reports
When a CA tries to issue a certificate for your domain, it first checks your CAA records. If it’s not listed, it must refuse the request.
CAA and Domain Forward
If you have no CAA records (most domains), everything works automatically. Domain Forward provisions SSL certificates via Let’s Encrypt without any issues.
If you do have CAA records, ensure they include:
example.com CAA 0 issue "letsencrypt.org"This allows Domain Forward to provision the certificates needed for HTTPS forwarding.
Related Terms
Related Features
Frequently
asked questions
If you have an existing CAA record, you need to ensure it allows the certificate authority that Domain Forward uses (Let's Encrypt). If you don't have any CAA records, no action is needed — the absence of CAA records means any CA can issue certificates.
Domain Forward won't be able to provision an SSL certificate for your domain. HTTPS forwarding will fail. You'll need to add a CAA record allowing the CA we use.
example.com CAA 0 issue 'letsencrypt.org' — this allows Let's Encrypt to issue certificates. You can list multiple CAs with multiple CAA records.
Still Confused? Try It Free.
Set up your first domain forward in under 5 minutes. Free plan includes 5 domains.