Security

CAA records

Tells the world which certificate authorities are allowed to issue certificates for your domain. Stops rogue CA issuance dead.

Authority: IETF
Version: RFC 8659
Jurisdiction: Global
Source: datatracker.ietf.org
Last reviewed: 2026-04-28
Last verified: pending

What it is

Certification Authority Authorization — a DNS record that whitelists which CAs may issue certificates for the domain. Public CAs are required by the CA/Browser Forum to honour it.

Why it matters

Prevents a compromised or misconfigured CA from issuing a valid cert for your domain. One DNS record, large attack-surface reduction.

Who it applies to

Every domain with HTTPS.

How WQI scores it

Web Quality Index considers this standard satisfied when the supporting factor passes.

#	Factor	Status
23	CAA records	planned

0 of 1 supporting factors are currently collected. Sites where the remaining 1 haven't been measured will show as partial or unknown on this standard until the data lands.

Related standards

See also: DNSSEC , SSL valid

Other references

regulation CA/Browser Forum Baseline Requirements (CAA section)
tooling SSLMate CAA record helper