Skip to content
SSL
Visit SSL on GitHub
Set theme to dark (⇧+D)

Add CAA records

A Certificate Authority Authorization (CAA) DNS record specifies which Certificate Authorities (CAs) are allowed to issue certificates for a domain. This record reduces the chance of unauthorized certificate issuance and promotes standardization across your organization.

For additional security, set up Certificate Transparency Monitoring as well.

Who should create CAA records?

You should create CAA records for your domain in Cloudflare if each of the following is true:

Who does not need to create CAA records?

You do not need to create CAA records in Cloudflare if your domain falls into one of the following categories:

If Cloudflare has automatically added CAA records on your behalf, these records will not appear in the Cloudflare dashboard. However, if you run a command line query using dig, you can see any existing CAA records, including those added by Cloudflare.

Create CAA records

Create a CAA record for each Certificate Authority (CA) that you plan to use for your domain.

To add a CAA record:

  1. Log in to the Cloudflare dashboard and select your account and application.
  2. Navigate to DNS.
  3. Click Add record.
  4. For Type, select CAA.
  5. For Name, type your domain.
  6. Choose a Tag, which specifies the behavior associated with the record.
  7. For CA domain name, enter the CA name.
  8. Click Save.
  9. Repeat for each CA associated with your domain.

Once you have finished creating all the records, you can review them in the list of records appearing under the DNS Records panel.

To create these records via the API, use this POST endpoint.