Have you told the world which certificate authorities are allowed to issue certs for your domain?
Confirms a small public DNS record exists that restricts who can issue HTTPS certificates for your domain.
What this signal tests
We check whether your domain publishes a CAA record. A CAA record is a small public note attached to your domain name in DNS that says which certificate authorities are allowed to issue certificates for you. Every legitimate certificate authority is required to read this record before issuing a certificate, and to refuse if their name is not on the list.
Why it matters for your visibility in AI
Without a CAA record, any of the hundreds of trusted certificate authorities in the world could, in principle, issue a certificate for your domain to anyone who fooled their validation process. CAA narrows that door to only the authorities you actually use, which makes a misissued certificate against your domain much harder. AI agents that perform any kind of identity-sensitive transaction treat the presence of CAA as a marker of mature domain stewardship. Failing this signal is rarely catastrophic on its own, but it is a free, one-line improvement to your trust posture. The record is read by certificate authorities at issuance time and by trust scoring systems on demand, and it costs you nothing once it is in place.
Pass criteria at a glance
| Criterion | Passes when |
|---|---|
| CAA RRset exists with >=1 issue tag. |
How we test it
We send a DNS query for the CAA record type at your domain. If your domain does not have one directly, the rules require us to climb to the parent domain and ask there. We look for at least one issue tag naming a certificate authority. We do not need to talk to the CA itself; the record is a plain public DNS entry and the lookup completes in milliseconds.
Show technical detection method
DNS CAA query at apex; tree-climbing per RFC 8659; confirm >=1 issue tag.
If your site fails: how to fix it
- Open your DNS management console at your registrar or DNS host (Cloudflare, GoDaddy, Namecheap, Route 53, Google Domains, etc.). Look for a Records or DNS Zone Editor section.
- Find out which certificate authority issues your current HTTPS certificate. Common choices include Let's Encrypt (letsencrypt.org), DigiCert (digicert.com), Sectigo (sectigo.com), Amazon (amazon.com), and Google Trust Services (pki.goog).
- Add a new CAA record at your apex domain. The type is CAA, the value is `0 issue "letsencrypt.org"` (or your CA's name). If you use multiple CAs, add one CAA record per CA.
- Optionally add a second CAA record `0 iodef "mailto:security@yourdomain.com"` so any CA that detects an unauthorised issuance request can email you.
- Wait a few minutes for DNS to propagate, then re-run the AI Ready Test scan. If you use Cloudflare or another modern DNS provider, propagation is typically near-instant.
Quick facts
| Maturity | ESTABLISHED |
|---|---|
| Weight | low |
| Category | Trust & Provenance |
Primary sources
Related signals
Frequently asked questions
Will I need IT help to fix this?
Usually no. Adding a CAA record is a single entry in your DNS console, comparable to adding an MX or TXT record. If you have ever set up email or Google verification on your domain, this is the same shape of change.
What if I do not know which CA my certificate comes from?
Open your site in a browser, click the padlock, and view the certificate details. The Issued by field tells you the CA name. Alternatively, check ssllabs.com/ssltest for a full report. If you use a CDN or managed host, the CA may be hidden but is documented in their support pages.
Will adding CAA break my existing certificate?
No, CAA only affects future certificate issuance. Existing certificates remain valid until they expire. The only risk is if you list a CA that your real provider does not match, in which case the next renewal could fail. Always confirm your current CA first.
How long until the change propagates?
Most modern DNS providers publish CAA records within seconds to a couple of minutes. If your DNS provider uses long TTLs or older infrastructure, allow up to an hour. You can verify with `dig caa yourdomain.com +short` or an online DNS lookup tool.
Run your own scan
Run a free scan and see how your site grades across all 155 AI-readiness signals.