Add CAA recordsA Certificate Authority Authorization (CAA) DNS record specifies which Certificate Authorities (CAs) are allowed to issue certificates for a domain. This record reduces the chance of unauthorized certificate issuance and promotes standardization across your organization.
Who should create CAA records?
- You uploaded your own custom origin server certificate (not provisioned by Cloudflare).
- That certificate was issued by a CA (not self-signed).
- Your domain is on a full setup (not a ).
Who does not need to create CAA records?
You do not need to create CAA records in Cloudflare if your domain falls into one of the following categories:
- You have or enabled (Cloudflare automatically adds CAA records for each our CA providers when necessary).
- Your custom origin server certificate is self-signed.
- You are using a (CAA records should be added to your authoritative DNS provider).
If Cloudflare has automatically added CAA records on your behalf, these records will not appear in the Cloudflare dashboard. However, if you run a command line query using
dig, you can see any existing CAA records, including those added by Cloudflare.
Create CAA records
Create a CAA record for each Certificate Authority (CA) that you plan to use for your domain.
To add a CAA record:
- Log in to the and select your account and application.
- Navigate to DNS.
- Click Add record.
- For Type, select CAA.
- For Name, type your domain.
- Choose a Tag, which specifies the behavior associated with the record.
- For CA domain name, enter the CA name.
- Click Save.
- Repeat for each CA associated with your domain.
Once you have finished creating all the records, you can review them in the list of records appearing under the DNS Records panel.