Most small business owners never give a second thought to the quiet machinery that keeps their website secure, and honestly, that is how it should be. But every so often a piece of that machinery surfaces with an alarming name, and the CAA record is a perfect example. It sounds deeply technical, yet the idea behind it is wonderfully simple: it is a way of telling the internet exactly which companies are allowed to issue security certificates for your domain. We say this to clients all the time: a few minutes understanding this now can save you a baffling certificate error later. So let us walk through it together, in plain language, with no assumptions about what you already know.
By the end of this guide you will know what a CAA record is, why it exists, how to add or fix one, and how to avoid the small mistakes that trip people up.
Let us start with what a CAA record actually is
CAA stands for Certification Authority Authorization, which is a mouthful, so let us translate. A CAA record is a small entry in your domain’s DNS settings that names the certificate authorities permitted to issue SSL certificates for your website. An SSL certificate is what puts the padlock in the browser and encrypts the connection between your site and your visitors. A certificate authority is one of the trusted companies allowed to issue those certificates.
Think of it as a guest list on the door of your domain. Without a CAA record, any certificate authority in the world could in theory issue a certificate for your site. With a CAA record in place, only the authorities you have named are allowed through the door. Everyone else is politely turned away.

Why a CAA record is worth having
The whole point of a CAA record is to reduce the risk of someone obtaining a certificate for your domain that you never asked for. A fraudulently issued certificate could be used to impersonate your website, which is exactly the sort of thing that keeps security-minded people awake at night. By publishing a CAA record, you shrink the number of authorities that can issue for your domain down to the ones you actually use.
For a small business, this is a low-effort, high-reassurance measure. It does not slow your site down, it does not cost anything, and it quietly tightens your security posture. It is the digital equivalent of telling reception to only let in visitors on the approved list; simple, sensible, and easy to forget you ever set up.
Understanding the parts of a CAA record
Like most DNS entries, a CAA record is made of a few fields, and knowing what each one does removes the mystery entirely. Here is each piece in everyday terms.
Flag
This is a small number that signals how strictly the record should be treated. A common setting tells authorities that if they do not understand the record, they should refuse to issue rather than guess. Your provider will usually suggest the right value.
Tag
This describes what the record controls. The most common tag names the authorities allowed to issue standard certificates, another covers wildcard certificates, and a third lets you provide a contact address for reporting policy violations.
Value
This is the actual name of the certificate authority you are authorising, written as its domain. If you use more than one authority, you simply add more records, one per authority.
Adding a CAA record step by step
The process mirrors adding any other DNS record, so once you have done it you will find it reassuringly familiar. Here is the reliable route.
Confirm which certificate authorities you use
Before you add anything, work out who currently issues your certificates. This might be your hosting provider, a dedicated SSL provider, or a free automated service. Authorise only the ones you genuinely use.
Open your DNS management area
Log in to wherever your domain’s DNS is managed and look for the section to add a new record. Choose CAA from the list of record types.
Enter the flag, tag and value
Add the flag your provider recommends, choose the tag for standard issuance, and enter the authority’s domain as the value. If you use several authorities, repeat this for each one.
Save and allow time to propagate
Save the record and be patient while the change spreads across the internet, which can take anywhere from minutes to a day. Try not to fiddle while you wait.
Test before your next renewal
Use a free online CAA checker to confirm the record is live and correct, ideally well before your certificate is due to renew, so there are no surprises.
How a CAA record compares to other DNS records
It helps to see where the CAA record sits among its more familiar relatives, because each one has a very different job. Here is a quick, jargon-light comparison:
- A record: points your domain to a server address so the website loads.
- MX record: directs email to the correct mail server.
- TXT record: stores small notes, often used for verification and email security.
- CAA record: names the certificate authorities allowed to issue certificates for your domain.
- CNAME record: points one name to another, handy for aliases and subdomains.
In short, while most records tell the world where to find things, the CAA record is about who is allowed to vouch for your site’s security.
Best practices that keep CAA records trouble-free
A little care here prevents a very specific and frustrating type of outage. Always authorise every certificate authority you actually use, because forgetting one means your renewal can suddenly fail. Review your CAA record whenever you change SSL providers, since an out-of-date guest list locks out your new supplier. Keep a note of which authorities you have listed and why. And add a contact tag where possible, so that if anyone does try something suspicious, the reporting route already exists.
Common mistakes we see people make
The errors here are predictable, which makes them easy to sidestep. The classic one is switching to a new SSL provider and forgetting to add them to the CAA record, so the shiny new certificate simply refuses to issue. Another is listing the wrong authority domain because of a typo, which quietly blocks a legitimate provider. People also sometimes add a CAA record that is far too restrictive, then wonder why automated renewals fail. And a common one is testing too soon, before the change has propagated, and panicking unnecessarily. Slow, careful checking prevents nearly all of these.
Where domain security is heading next
DNS-based security is quietly becoming more automated and more approachable. Certificate services increasingly configure and check CAA records for you as part of issuing a certificate, removing the manual step altogether. Hosting providers are building friendlier interfaces that explain each field rather than leaving you to guess. And the wider push towards automatic, short-lived certificates makes having your authorisations correct more important than ever, because renewals happen far more often. The heartening trend is that all of this is getting easier, not harder, for the average business owner.
A quick real-world example of a CAA record in action
Imagine you have run your bakery’s website happily for years with a certificate issued by your hosting company. One day you decide to move to a smarter platform, and the new provider tries to issue a fresh certificate through a different authority. If you set up a CAA record back at the start, naming only your old host, the new certificate will be refused, and you will be left staring at a confusing error just as you are trying to launch. It is not a fault, it is the CAA record doing exactly what you told it to.
The fix is delightfully simple: add the new authority to your CAA record, wait for it to propagate, and the certificate issues without a murmur. We share this story because it is the single most common way a well-meaning security setting turns into a head-scratching afternoon. Knowing about it in advance means you will recognise the culprit instantly rather than assuming something has gone badly wrong. A guest list only works if you remember to add your new guests.
Do I really need a CAA record?
It is not compulsory, but it is a sensible, no-cost layer of protection. Without one, any certificate authority could in theory issue a certificate for your domain. Adding one restricts that to the providers you actually trust, which is a small effort for a meaningful security gain.
Will a CAA record break my website?
Not on its own. A correctly configured CAA record is invisible to visitors and does not affect how your site loads. The only thing it can affect is certificate issuance, so the key is to make sure every authority you use is listed before you rely on it.
How many certificate authorities should I list?
List every authority you genuinely use, and no more. For many small businesses that is just one, perhaps the free automated service bundled with their hosting. If you use a separate provider for a specific certificate, add that too, so nothing is accidentally locked out.
What happens if my CAA record is wrong?
The usual symptom is a failed certificate issuance or renewal, where your provider reports it is not authorised. The fix is simply to correct the authority domain or add the missing provider, then wait for the change to propagate before trying again.
Does a CAA record affect my email or search ranking?
No, and this is a common worry worth putting to rest. A CAA record only governs who may issue SSL certificates for your domain; it has no bearing on where your email is delivered or how search engines rank your pages. That said, keeping your certificate valid and your padlock intact does support trust and security, both of which matter to visitors and search engines alike, so a healthy CAA record indirectly helps you keep the secure site that everyone now expects.
Your quick CAA record checklist
- List your authorities: confirm exactly which providers issue your certificates.
- Open the right DNS area: edit DNS where your nameservers actually point.
- Add the record carefully: set the flag, tag and value exactly as advised.
- Cover every provider: add a record for each authority you use.
- Save and wait: allow propagation before testing.
- Check with a tool: confirm the record is live before your next renewal.
- Review on change: update the record whenever you switch SSL providers.
Want your domain security handled properly?
A CAA record is a tiny setting that does a genuinely useful job, quietly keeping your domain’s certificates in trusted hands. If DNS and certificates are not how you want to spend your afternoon, this is precisely the sort of behind-the-scenes work we take off our clients’ plates every day. At Delivered Social we keep small business websites secure, trusted and worry-free. Contact us today and let us make sure your domain is locked down the right way.


































