Security Tools

CAA Record Generator

Build and parse DNS CAA records in your browser. Pick allowed CAs for issue, issuewild, issuemail; add iodef contacts; copy Cloudflare, Route 53, BIND snippets.

Quick presets

Tap a preset to load common CAA policies. Your domain field is preserved.

Domain

The domain you are protecting. CAA records are published at the same name (apex or subdomain) you are issuing certs for.

Host: example.com

CA entries

Add one row per CA per tag. An empty value means deny all CAs for that tag.

Allowed CAs for non-wildcard certs. An empty value means deny all CAs for this tag.

Issuer critical (flag 128)

iodef contacts

Optional. CAs send a structured incident report here when a certificate request violates this policy.

No iodef destinations configured. Most domains can leave this empty; add a mailto: contact if you want CAs to report policy violations.

Generated CAA records

Publish each line as a CAA record at example.com.

issue0 issue "letsencrypt.org"

End-entity certs (issue): only letsencrypt.org may issue. Wildcard certs (issuewild): falls back to the issue rules above. No iodef reporting destination configured.

DNS provider snippets

Drop into your DNS host or zone file. Replace placeholder zone IDs and resource groups.

BIND zone file

example.com.	IN	CAA	0 issue "letsencrypt.org"

Cloudflare DNS (UI)

Record:
Type: CAA
Name: example.com
Flags: 0
Tag: issue
Value: letsencrypt.org
TTL: Auto

Route 53 (AWS CLI)

aws route53 change-resource-record-sets \
  --hosted-zone-id ZXXXXXXXXXXXXX \
  --change-batch '{"Changes":[{"Action":"UPSERT","ResourceRecordSet":{"Name":"example.com.","Type":"CAA","TTL":3600,"ResourceRecords":[{"Value":"0 issue \"letsencrypt.org\""}]}}]}'

Google Cloud DNS (gcloud)

gcloud dns record-sets create example.com. \
  --zone=YOUR-ZONE \
  --type=CAA \
  --ttl=3600 \
  --rrdatas="0 issue \"letsencrypt.org\""

Azure DNS (Azure CLI)

az network dns record-set caa add-record \
  --resource-group MY-RG \
  --zone-name com \
  --record-set-name example \
  --flags 0 \
  --tag issue \
  --value "letsencrypt.org"

Quick reference

issue, issuewild, issuemail

issue applies to all certs (and is the fallback for wildcards if issuewild is absent). issuewild applies only to wildcard certs. issuemail (RFC 9495) applies to S/MIME certs.

Empty value = deny all

An entry like 0 issue "" means no CA may issue end-entity certs. Mixing a deny-all with any permissive entry for the same tag silently allows issuance.

Where to publish

CAs check the CAA record on the exact label being issued, then walk up to the apex. Publish at the same name (apex or subdomain) you are issuing certs for.

Issuer critical (flag 128)

Setting flag 128 on a tag tells CAs to refuse issuance if they do not understand the tag. Useful for forward-compatibility experiments; leave it off for the standard tags.

iodef reports

A mailto: or https:// destination that CAs may use to send Incident Object Description Exchange Format (IODEF) reports when a request violates the policy. Most CAs are not yet sending these; safe to leave empty.

Wildcards

If issuewild is absent, wildcard certs follow the issue rules. If issuewild is present (even as deny-all), it fully overrides the issue rules for wildcards.

How to use

Choose Build record to compose a CAA record set, or Parse and explain to paste existing records.
Builder: enter the domain you are protecting (the host is reproduced below the field), then pick a preset (Let's Encrypt only, DigiCert, Google Trust Services, deny all, and more) or add issue, issuewild, and issuemail rows manually.
For each row, type a CA host or click a CA chip (Let's Encrypt, Google, DigiCert, Sectigo, ZeroSSL, GlobalSign, SSL.com, Buypass, Amazon, Apple, Microsoft, Entrust, Certum). Leave the value empty to deny that tag entirely.
Set the Issuer critical flag on a row when you want CAs to refuse issuance if they do not understand it. Leave it off for the standard tags.
Add optional iodef contacts (mailto: address or https:// URL) so CAs can send violation reports. Most domains can leave this empty.
Read the generated CAA values, the plain-English summary, and any warnings. Copy a single line or click All values for the whole set.
Pick a DNS provider snippet for Cloudflare, Route 53, BIND, Google Cloud DNS, or Azure DNS to publish the records.
Parser: paste one CAA record per line (full zone-file lines like example.com. IN CAA 0 issue "letsencrypt.org" are accepted; the preamble is stripped). The tool validates each row, flags critical-unknown tags and deny-mixed-with-allow mistakes, and summarizes the effective issuance policy.

About this tool

CAA Record Generator is a two-mode browser tool for the DNS Certification Authority Authorization resource record defined in RFC 8659 (with the issuemail tag added by RFC 9495 for S/MIME). The Build tab lets you compose a CAA record set from structured rows instead of memorizing the wire format: add one row per allowed Certificate Authority per tag (issue for end-entity certs, issuewild for wildcards, issuemail for S/MIME), set the issuer critical flag (128) per row, and optionally add iodef contacts so CAs can send incident reports when a request violates the policy. Quick presets cover the policies real domains pick: Let's Encrypt only, Google Trust Services only, DigiCert, Sectigo, ZeroSSL, a Let's Encrypt + Google mix, an end-entity-only policy that forbids wildcards, and a hardened deny-all preset that locks issuance down entirely. The CA chips next to each row drop the exact identifier each CA publishes (letsencrypt.org, pki.goog, digicert.com, sectigo.com, globalsign.com, buypass.com, amazon.com, apple.com, microsoft.com, ssl.com, entrust.net, certum.pl) so you do not have to look the label up. The output panel shows one CAA RDATA value per row in the canonical flags-tag-value form, a plain-English summary of which CAs may issue end-entity, wildcard, and S/MIME certs, and a list of validation warnings for the mistakes the spec quietly tolerates: duplicate (tag, value, critical) triples, a deny-all entry mixed with a permissive entry on the same tag (which silently allows issuance), CA hosts that do not look like plausible domain labels, and iodef contacts that are not valid mailto or https URIs. DNS provider snippets are ready to paste into a BIND zone file, the Cloudflare DNS UI, the AWS Route 53 CLI, the Google Cloud DNS gcloud CLI, and the Azure DNS CLI, with the value escaped correctly so quotes do not break your record. The Parse tab takes any CAA value, splits it into flags, tag, and value, validates each field, accepts both bare records (0 issue "letsencrypt.org") and full zone-file lines (example.com. IN CAA 0 issue "letsencrypt.org"), surfaces conflicts that lead to undefined behavior across CAs, and explains the effective issuance policy in a single summary panel. A reference grid contrasts the rules that confuse most operators (issue vs issuewild fallback, empty value as deny-all, issuer critical flag, where the record must be published, iodef reporting destinations, wildcard override behavior) so the page doubles as a study sheet. Useful for tightening certificate issuance on a production domain, hardening parked or non-sending domains, fixing an inherited CAA record before the next renewal, debugging an unexpected CA rejection during ACME issuance, and reviewing the policy of any domain whose record you can paste in. Everything runs locally in your browser. Domains, mailbox addresses, and report URIs never leave your device.

Free to use. Works in your browser. No signup, no login.

Related tools

CAA Record Generator

How to use

About this tool

You may also like

SPF Record Generator

DMARC Record Generator

DKIM Record Generator

SSL Certificate Decoder

DNS Record Types Reference