Add CAA records
A Certificate Authority Authorization (CAA) DNS record specifies which Certificate Authorities (CAs) are allowed to issue certificates for a domain. This record reduces the chance of unauthorized certificate issuance and promotes standardization across your organization.
Who should create CAA records?
- You uploaded your own custom origin server certificate (not provisioned by Cloudflare).
- That certificate was issued by a CA (not self-signed).
- Your domain is on a full setup (not a ).
CAA records added by Cloudflare
If Cloudflare has automatically added CAA records on your behalf, these records will not appear in the Cloudflare dashboard. However, if you run a command line query using
dig, you can see any existing CAA records, including those added by Cloudflare (replacing
example.com with your own domain on Cloudflare):
➜ ~ dig example.com caa +short# CAA records added by DigiCert0 issue "digicert.com; cansignhttpexchanges=yes"0 issuewild "digicert.com; cansignhttpexchanges=yes"# CAA records added by Sectigo0 issue "sectigo.com"0 issuewild "sectigo.com"# CAA records added by Let's Encrypt0 issue "letsencrypt.org"0 issuewild "letsencrypt.org"# CAA records added by Google Trust Services0 issue "pki.goog; cansignhttpexchanges=yes"0 issuewild "pki.goog; cansignhttpexchanges=yes"
Create CAA records
Create a CAA record for each Certificate Authority (CA) that you plan to use for your domain.
To add a CAA record in the dashboard,
- Log in to the and select your account and application.
- Navigate to DNS > Records.
- Click Add record.
- For Type, select CAA.
- For Name, type your domain.
- Choose a Tag, which specifies the behavior associated with the record.
- For CA domain name, enter the CA name.
- Click Save.
- Repeat for each CA associated with your domain.
Once you have finished creating all the records, you can review them in the list of records appearing under the DNS Records panel.