DNS / email · Check

CAA record missing — restricting which CAs can issue certificates

A Certification Authority Authorization (CAA) DNS record tells public CAs which authorities are allowed to issue certificates for your domain. Without one, any trusted CA can issue — including a CA an attacker convinces to mis-issue. Adding CAA reduces the risk of fraudulent certs being issued in your name.

Real-world risk

Without CAA, any publicly trusted CA could theoretically issue for your hostname if another control fails.

Fix steps (in order)

Publish CAA records restricting issuance to CAs you actually use (issue / issuewild tags).
Example: 0 issue "letsencrypt.org" (adjust to your CA and include wildcards only if needed).

Topic explainer

DMARC, SPF, and DKIM explained: the email authentication trio →

A practical guide to email authentication: what SPF, DKIM, and DMARC each do, why all three are needed, and how to roll out a DMARC policy that actually blocks spoofed mail.

Verify the fix in 30 seconds

Run a Scorifya scan on the affected host after deploy. The same finding id (dns_caa_absent) clears once the externally-observable signal is in place.

Run a free scan Methodology