For experienced users
A CAA record (Certification Authority Authorization) identifies which certificate authority (CA) can issue SSL certificates for your domain. CAA records let you set rules for your entire domain or specific subdomains.
CAA records let you control which CAs can issue certificates for your domain. A certificate authority (CA) is an organization authorized to issue SSL certificates.
You can be notified if someone requests a certificate from an unauthorized CA. Without a CAA record, any CA can issue an SSL certificate for your domain. Once you create a CAA record, only the CA you specify can issue the certificate.
How is a CAA record structured?
A CAA record consists of these parts:
- Domain – Leave this field empty to apply to your root domain. If you enter a subdomain, it applies only to that specific subdomain.
- CA identifier – The identifier of the certificate authority authorized to issue certificates for your domain. This can be the CA’s name (for example letsencrypt.org) or an email or web address.
- Flags – This parameter defines how critical the record is. The number is always determined by the certificate authority.
- Tag – Defines the properties of the CAA record.
- TTL – This value determines how long ISP servers remember the DNS setting. Time is specified in seconds.

After you’ve entered the required information, click Create.