What is a CAA record?

CAA records can tell certificate authorities which CAs are authorized to issue certificates for a domain.

Does CAA prove the current certificate is valid?

No. CAA is a DNS policy signal and does not inspect the live TLS certificate.

What if no CAA record is found?

A missing CAA record is common and does not automatically mean the domain is unsafe.

DNS and Domain Tool

CAA Lookup

Check Certification Authority Authorization records for a domain. CAA can guide certificate issuance, but it is not a full TLS certificate or website-security audit.

Check CAA records

Enter a domain to check CAA records.

Technical response details (optional)

What the results mean

CAA records can name certificate authorities that may issue certificates for a domain. Values often include issue, issuewild, or iodef.

How to use this tool

Enter a domain.
Review returned CAA records and TTL values.
Use SSL Certificate Checker, HTTP Headers Checker, and Security Headers Checker for complementary website signals.

FAQ

Does this inspect the live certificate?

No. It checks DNS CAA records only.

Can CAA stop every bad certificate?

No. It is a policy signal used by certificate authorities, not a standalone protection layer.

Why use CAA?

CAA can reduce accidental issuance by unexpected certificate authorities when configured correctly.

B2B diagnostic report model

Domain intelligence diagnostics

Domain checks connect public DNS, RDAP-safe context, reverse DNS, CAA, DNSSEC hints, IP/ASN context, provider hints, and blacklist context.

SummaryStart with a plain-language status for the public target.

Top issuesPrioritize the few findings that need attention first.

What passedShow expected public signals without turning them into a certification.

What needs reviewSeparate limited, unavailable, and review-worthy signals.

Why it mattersExplain the business, delivery, crawl, or implementation impact.

Recommended fixesPoint to the DNS, hosting, email, CMS, or SEO owner who can act.

What this tool cannot checkThis does not enumerate subdomains, scan ports, prove ownership, prove origin IP exposure, or certify infrastructure security.

Client-safe copyClient-safe copy should keep high-level DNS/RDAP/provider findings while suppressing raw payloads and RDAP contact personal data.

Monitoring beta (optional)Optional monitoring beta can compare DNS, RDAP status, expiration windows, provider hints, reverse DNS, and blacklist context for approved public domains.

Client-safe report

Share findings without leaking raw technical material

Use Safe Copy or this page's summary when sending results to a client, vendor, developer, or support team. Raw headers, credentials, tokens, cookies, private addresses, email local-parts, and oversized payloads should stay out of client-facing copy.

Review Safe Copy Ask about monitoring beta

Check my website/domain

What this checks

Public DNS, HTTP, HTTPS, certificate, redirect, header, IP/ASN, or domain configuration signals.

Limits

What this cannot check

It cannot perform credentialed vulnerability testing, scan private hosts, bypass access controls, or certify complete security.

Read results

How to use the output

Treat results as review signals for this browser/session or public target. Re-test after one change, then use Safe Copy or notes that avoid raw identifiers.