CAA Record Lookup Tool

Check CAA records instantly across global resolvers to validate your SSL/TLS certificate issuance policies.

How to troubleshoot SSL issuance with a CAA Lookup

If your web host or service like AutoSSL/Let's Encrypt is failing to generate or renew a security certificate for your domain, an overly restrictive CAA record is often the cause. Enter your domain name above to instantly query its active CAA records. This confirms which Certificate Authorities (CAs) are officially permitted to issue SSL/TLS certificates for your site.

Interpreting your CAA results

  • No Record Found: If the lookup returns no CAA records, it means you have no active restrictions. Any public Certificate Authority is allowed to issue a certificate for your domain. This is the default state for most domains.
  • Missing CAs: If you see a CAA record authorizing digicert.com, but you are trying to install a free certificate from letsencrypt.org, the issuance will fail. You must add an additional CAA record specifically authorizing Let's Encrypt.
  • Wildcard Restrictions: Look closely at the tags. A CAA record might authorize standard certificates (using the issue tag), but explicitly forbid wildcard certificates (using the issuewild tag).

Related tools

SSL/PKI DNS check validator TLSA record DNS lookup DNSSEC lookup validator TXT record check tool