Free CAA Lookup.

Check CAA records for any domain in seconds. See which certificate authorities are allowed to issue SSL/TLS certificates for your domain, confirm TTL values, and spot risky misconfigurations.

CAA Lookup.

How does CAA Lookup work?

Enter a domain name (e.g., example.com) and click “Check”. Our tool queries DNS for CAA records and returns the values it finds—along with TTL (time-to-live)—so you can confirm your certificate-issuing rules and validate changes.

What is a CAA record?

A CAA record (Certification Authority Authorization) tells certificate authorities which providers are allowed to issue SSL/TLS certificates for your domain. It’s a simple DNS-based control that helps reduce the risk of unauthorized certificate issuance.

When should you check a CAA record?

Before issuing or renewing an SSL/TLS certificate
When switching certificate providers (e.g., moving to a new CA)
If certificate issuance fails unexpectedly
After DNS changes or a nameserver migration

Common CAA values (quick guide)

issue: Allows a CA to issue standard certificates
issuewild: Allows a CA to issue wildcard certificates
iodef: Where a CA can send incident reports (email/URL)

Get 50 monitors with 5-minute checks totally FREE.

Try UpTimeRobot - the world's leading website monitoring service!

Start monitoring for free

Frequently asked questions.

What is a CAA record?
A CAA record lets you specify which certificate authorities (CAs) are allowed to issue SSL/TLS certificates for your domain. Public CAs are required to check CAA before issuing a certificate.
What does it mean if no CAA record is found?
It usually means you haven’t set any restrictions—so any CA may proceed with issuance under normal policy.
What do issue, issuewild, and iodef mean in CAA?
- issue: which CA can issue standard certificates
- issuewild: which CA can issue wildcard certificates
- iodef: where a CA may send policy-violation reports (email/URL)
Why is my certificate issuance failing because of CAA?
If your CAA records don’t authorize the CA you’re using, issuance can be blocked. DNS errors during CAA checks can also prevent issuance until they are resolved.
Do CAA records apply to subdomains?
Often, yes—CAA policies can be inherited by subdomains unless a more specific CAA record exists on the subdomain.
Where do I add or update a CAA record?
Add it in the DNS provider that hosts your authoritative zone (where your active nameservers point).
How do I allow Let’s Encrypt (or multiple CAs) with CAA?
You can add one or more issue entries (one per CA). For example, a standard format is CAA 0 issue "letsencrypt.org" (your DNS UI may hide the numeric flags).

Get your FREE account now, 50 monitors included!

Try UpTimeRobot - the world’s leading website monitoring service!

Start monitoring for free

Free CAA Lookup.

CAA Lookup.

How does CAA Lookup work?

What is a CAA record?

When should you check a CAA record?

Common CAA values (quick guide)

Get 50 monitors with 5-minute checks totally FREE.

Frequently asked questions.

What is a CAA record?

What does it mean if no CAA record is found?

What do issue, issuewild, and iodef mean in CAA?

Why is my certificate issuance failing because of CAA?

Do CAA records apply to subdomains?

Where do I add or update a CAA record?

How do I allow Let’s Encrypt (or multiple CAs) with CAA?

Get your FREE account now, 50 monitors included!

Uptime monitoring

Monitoring features

For every team

Go further with

Meet our users

Help & learn

Community

Free tools

What do `issue`, `issuewild`, and `iodef` mean in CAA?