Which CAs may issue certificates
DNS & Records
DNS Lookup Every DNS record for any domain A Record Lookup IPv4 addresses for a domain AAAA Record Lookup IPv6 addresses for a domain MX Lookup Mail servers for a domain NS Lookup Authoritative name servers TXT Lookup TXT records, SPF, verification CNAME Lookup Canonical name (alias) records SOA Lookup Start of Authority record SRV Lookup Service location records CAA Lookup Which CAs may issue certificates Reverse DNS (PTR) IP address to hostname DNSSEC Check Is the domain signed and validated? DNS Health Check A full delegation & DNS report cardEmail Deliverability
SPF Check Validate your Sender Policy Framework record DMARC Check Inspect and grade your DMARC policy DKIM Check Find and validate your DKIM public key Blacklist Check Check an IP against email blocklists (DNSBLs) SMTP Test Connect to a mail server and check STARTTLS MTA-STS Check Enforced TLS policy for inbound mail BIMI Check Brand logo record for email TLS-RPT Check SMTP TLS reporting policyNetwork & Web
SSL Certificate Check Inspect a site's TLS certificate and expiry HTTP Header Check Inspect response headers, redirects and security Ping (TCP) Reachability and latency over TCP Port Check Which common ports are openDomain
WHOIS Lookup Registration data for domains, IPs and ASNsA CAA (Certification Authority Authorization) record lets a domain declare which certificate authorities may issue certificates for it. CAs are required by the CA/Browser Forum to honour these records, so they reduce the risk of mis-issuance — a CA wrongly issuing a certificate for your domain. CAA is a simple, powerful guardrail for your TLS certificates.
A CAA record names an allowed certificate authority by its domain. Before issuing, a compliant CA checks the CAA records for your domain; if records exist and none list that CA, it must refuse. The record has three parts: a flag, a tag and a value. The common tags are issue (authorizes a CA to issue standard certificates), issuewild (controls wildcard certificates specifically), and iodef (a URL or mailto where CAs report policy violations). For example, issue "letsencrypt.org" permits only Let's Encrypt to issue.
IPeek lists the CAA records on the domain, each with its tag and value. Read the issue tags to see which CAs are authorized — a value like "letsencrypt.org" or "digicert.com" names the permitted authority. An issuewild tag restricts who may issue wildcard certificates. An issue value of ";" (semicolon) means no CA is authorized at all. If the domain has no CAA records, any public CA may issue, which is the permissive default. Check that the CAs listed match the providers you actually use for certificates.
Without CAA, any of dozens of public certificate authorities can issue a certificate for your domain, so a single compromised or tricked CA is enough for an attacker to obtain a valid certificate. CAA narrows that attack surface to only the CAs you name. Because the CA/Browser Forum mandates that CAs check CAA before issuing, the protection is enforced industry-wide. Add the iodef tag and authorized CAs can notify you of attempted policy violations, giving early warning of someone trying to obtain a certificate they should not.
With no CAA record, any publicly trusted certificate authority is allowed to issue certificates for the domain — the permissive default. Adding CAA records restricts issuance to only the CAs you list. If you care which authorities can certify your domain, publish CAA records; otherwise issuance stays open to all compliant CAs.
These are the three standard CAA tags. issue authorizes a named CA to issue regular certificates, issuewild specifically controls wildcard certificate issuance, and iodef gives a URL or mailto address where CAs report attempted policy violations. Using issue plus iodef both restricts who can certify your domain and alerts you to violations.
Yes. Under CA/Browser Forum rules, publicly trusted CAs are required to check a domain's CAA records before issuing and must refuse if the records do not authorize them. This makes CAA an enforced control rather than a suggestion. It does not stop an already-issued certificate, but it blocks new mis-issuance by compliant authorities.
Publish a separate CAA issue record for each authority you want to permit. For example, one record with issue "letsencrypt.org" and another with issue "digicert.com" authorizes both. CAs check whether any record names them, so multiple issue records simply widen the set of allowed authorities while still excluding everyone else.
Yes, that is what the issuewild tag is for. issuewild governs who may issue wildcard certificates (like *.example.com), overriding the plain issue tag for wildcards. You might allow a CA to issue regular certificates but restrict or forbid wildcards, or vice versa, by combining issue and issuewild records appropriately.