CAA record
A DNS record that whitelists which Certificate Authorities can issue certs for your domain. A security control that prevents rogue cert issuance.
A CAA (Certification Authority Authorization) record at your domain lists which CAs are allowed to issue certificates for it. Any CA that receives a request for your domain MUST check the CAA record before issuing.
example.com. CAA 0 issue "letsencrypt.org"
example.com. CAA 0 issue "digicert.com"
example.com. CAA 0 iodef "mailto:security@example.com"
The fields:
0— flag byte. 0 is informational; 128 means "critical, fail closed."issue— tag. Common tags:issue(allow certs),issuewild(allow wildcards),iodef(email to report violations).- The CA's identifier — usually their domain.
What CAA prevents
A misconfigured or compromised CA issuing a cert for your domain to someone who shouldn't have one. Before CAA (mandatory for all CAs since 2017), any trusted CA could issue a cert for any domain, which had been abused historically (DigiNotar 2011, Symantec various).
With CAA, only the CAs you've whitelisted can issue. Others must refuse. The check happens at issuance, not at TLS handshake, so CAA doesn't slow down connections.
Why this matters for SaaS custom domains
If your SaaS uses Let's Encrypt to issue certs for customer domains, and a customer has restrictive CAA records like 0 issue "digicert.com" (only DigiCert allowed), your Let's Encrypt cert request fails. Most CAA setups allow Let's Encrypt by default, but enterprise customers sometimes lock down to specific CAs.
When you onboard a custom domain, check whether the customer has CAA records that block your CA. If they do, instruct them to add 0 issue "letsencrypt.org" (or whichever CA you use).