DNS CAA S/MIME Resource Check 2025 Required

DNS CAA S/MIME Resource Check 2025 Required
11 Mar ‘25

Update: DNS CAA Resource Check required in 2025  

CA’s such as DigiCert will start checking CAA resource records before issuing a Secure Email (S/MIME) certificate with a mailbox address. This is their official announcement: 

“Starting March 13, 2025, at 10:00 MDT (16:00 UTC), DigiCert will check, process, and abide by your email domains’ DNS Certification Authority Authorization (CAA) resource records before DigiCert issues your Secure Email (S/MIME) certificates.” 

 

As of 2017 it was already mandatory for SSL/TLS but now starting from March 13th, 2025, this check will also be done for S/MIME certificates.  

Check if you have configured your DNS CAA records in order for your CA to be able to issue S/MIME certificates. 

 

DNS records and certificates 

At its core, DNS, or Domain Name System, acts as the backbone of the internet. It provides a seamless hierarchical framework that transforms human-friendly domain names into numerical IP addresses. This critical translation process empowers users to navigate the web effortlessly, allowing them to access websites and services through memorable names instead of a confusing string of numbers. 

The magic of DNS lies within a complex network of servers that diligently manage the resolution of domain names to their corresponding IP addresses. When a user types a domain into their browser, DNS steps in as a vital facilitator, directing them to the right site or service and enhancing their online journey. This functionality not only streamlines the user experience but also fosters uninterrupted connectivity across the vast landscape of the web. 

Having accurate DNS records is non-negotiable for preserving a secure, reliable, and accessible online presence. They play a pivotal role in ensuring smooth website operations, dependable email delivery, and adherence to regulatory requirements, while also fortifying defenses against potential security threats. In the world of digital connectivity, a robust DNS framework is essential for sustaining an uninterrupted online presence. 

What is a DNS CAA Resource Record Check? 

A DNS CAA (Certificate Authority Authorization) resource record check is a vital process that empowers Certificate Authorities (CAs) to confirm whether they hold the authorization to issue SSL/TLS or S/MIME certificates for a designated domain. This verification step involves querying the domain’s DNS for CAA records, which explicitly outlines the CAs permitted to issue certificates for that particular domain. 

  

By leveraging DNS CAA records, domain owners can enhance their security posture. This mechanism prevents unauthorized CAs from issuing certificates, ensuring that only approved entities have the ability to validate and secure the domain. Thus, CAA records serve as an essential gatekeeper, fortifying the integrity of digital certificates and fostering trust in online communications. In an era where security breaches are increasingly prevalent, implementing a thorough DNS CAA check is a proactive measure every domain owner should adopt. 

 

DNS CAA Resource Check in 2025 

CA’s such as DigiCert will start checking CAA resource records before issuing a Secure Email (S/MIME) certificate with a mailbox address. This is their official announcement: 

“Starting March 13, 2025, at 10:00 MDT (16:00 UTC), DigiCert will check, process, and abide by your email domains’ DNS Certification Authority Authorization (CAA) resource records before DigiCert issues your Secure Email (S/MIME) certificates.” 

 

As of 2017 it was already mandatory for SSL/TLS but now starting from March 13th, 2025, this check will also be done for S/MIME certificates. 

 

How to check your DNS and CAA Record settings? 

CAA records are configured within the DNS server settings of your ISP, which may require several steps to access. A more efficient method to check these records is by using a third-party tool that retrieves DNS information globally. One such tool is DNS Checker. You can request your DNS information here:  

 

https://dnschecker.org/all-dns-records-of-domain.php 

 

 

How does the DNS CAA resource record check work? 

Before a TLS/SSL certificate or Secure Email (S/MIME) certificate is issued, the Certificate Authority (CA), like DigiCert, performs a check of the domain’s or mailbox domain’s CAA records. This verification ensures that the CA is authorized to issue the requested certificate, reinforcing the trust and security of digital communications.  

How the Check Works 

  • CAA Record Presence: Before issuing a certificate, a CA checks if there are any CAA records for the domain. If no CAA records are found, the CA can issue the certificate as they are not restricted by any specific authorization. 
  • Authorization Check: If CAA records are present, the CA checks if they are listed as an authorized issuer in the records. If they are, they can proceed with issuing the certificate. If not, they cannot issue the certificate. 
  • CNAME Handling: If the domain has a CNAME record pointing to another domain, the CA follows up to eight levels of CNAME targets to find a CAA record. The search stops once a CAA record is found, and its policy is applied. 

 

 

A CA can issue the TLS or S/MIME certificate if one of the following conditions is true: 

  • They do not find a CAA record for your domain. 
  • They find a CAA record for your domain authorizing them to issue that certificate. 
  • S/MIME certificate: yourdomain CAA 0 issuemail “digicert.com” 
  • They only find CAA records for your domain without the “issue”, “issuewild”, or “issuemail” property tags. 

 

A CAA resource record is NOT required 

A CAA record is NOT REQUIRED for DigiCert to issue a TLS/SSL or a Secure Email (S/MIME) certificate. The information provided below only applies if you are in one of these situations: 

  • Have CAA records set up for your TLS domains and mailbox domains 
  • Plan to add CAA resource records for your TLS domains and mailbox domains 

Format of a CAA Record 

The format of a CAA record is structured to include several key components that specify which Certificate Authorities (CAs) are authorized to issue certificates for a domain. Here’s the typical format: 

“name CAA <flags> <tag> value” 

 

Example of a CAA Record 

Here’s an example of a CAA record that authorizes Let’s Encrypt to issue standard certificates for a domain: 

domain.com CAA 0 issue “globalsign.com” 

 

Here’s a breakdown of the fields and tags: 

Fields in a CAA Record 

  • Name
  • Description: The domain name. 

 

  • Flag
  • Description: This field indicates whether the property is critical or non-critical. Currently, only two values are supported: 0 (non-critical) and 128 (critical). 
  • Usage: The critical flag (128) is used with custom tags to ensure that a CA must understand the property before proceeding. However, for standard tags like issue, issuewild, and iodef, a flag of 0 is sufficient. 

 

  • Tag
  • Description: This specifies the type of property being defined. Common tags include: 
  • issue: Authorizes a CA to issue standard (non-wildcard) SSL certificates. 

example.com CAA 0 issue “digicert.com” 

  • issuewild: Authorizes a CA to issue wildcard SSL certificates. 

example.com CAA 0 issuewild “digicert.com” 

  • iodef: Specifies an email address or URL for reporting failed certificate issuance attempts. 

example.com  CAA 0 iodef “mailto:example@example.com” 

  • Issuevmc: This property is specific to VMC certificates. 

example.com CAA 0 issuevmc “digicert.com” 

  • Issuemail: This property is specific to S/MIME certificates. 

mail.example.com CAA 0 issuemail “digicert.com” 

  • Usage: These tags determine the type of certificate issuance allowed by the specified CA. 

 

  • Value
  • Description: This field contains the value associated with the tag. For issue and issuewild, it specifies the domain name of the authorized CA (e.g., “letsencrypt.org”). For iodef, it provides an email address or URL for notifications. 
  • Usage: The value is crucial for identifying which CA is authorized or where notifications should be sent. 

 

How can I set up a CAA record for my domain 

Establishing a CAA (Certificate Authority Authorization) record for your domain is a crucial step in safeguarding your digital identity. This process entails selecting specific Certificate Authorities (CAs) that are permitted to issue SSL certificates on your behalf. 

 Here’s a simple guide to assist you in setting up your CAA record: 

 

Steps to Set Up a CAA Record 

1. Access Your DNS Settings: 

  • Log in to your domain registrar or DNS provider’s control panel. This could be services like Hostinger, Namecheap, or Cloudflare. 

2. Navigate to DNS Management: 

  • Locate the DNS management section. You might find this labeled as “DNS Settings,” “DNS Manager,” or “Manage DNS.” 

3. Add a New DNS Record: 

  • Click on “Add New Record” or “Create DNS Record.” From the available options, select “CAA” as the record type. 

4. Enter CAA Record Details: 

  • Name: Enter @ for the root domain or specify a subdomain if necessary. The @ symbol represents the root domain and will apply to all subdomains unless a specific subdomain CAA record overrides it. 
  • Flag: Typically set to 0, indicating that the record is not critical. While a flag of 128 could mark it as critical, this setting is rarely utilized. 
  • Tag: Choose issue for standard certificates, issuewild for wildcard certificates, issuevmc for vmc certificates, issuemail for S/MIME or iodef to report failed certificate issuance attempts. 
  • Value: Enter the domain name of the authorized CA (e.g., “digicert.com” or “globalsign.com”). 
  • TTL (Time To Live): Define the TTL to determine how long the record is cached by DNS resolvers. Common settings are around 3600 seconds (1 hour). 

5. Save the Record: 

  • Once all details have been filled in, ensure you save the CAA record. Keep in mind that it may take some time for the changes to propagate across the internet. 

 

Example CAA Record 

For a domain using Let’s Encrypt, the CAA record might look like this: 

  • Name: @ 
  • Flag: 0 
  • Tag: issue 
  • Value: google.com 
  • TTL: 3600 

If you need to authorize multiple CAs, create separate CAA records for each one. 

 

Important Notes 

  • Check DNS Provider Support: Ensure that your DNS provider supports CAA records, as not all providers offer this functionality. It’s crucial to verify compatibility to implement CAA effectively. 
  • Scope of CAA Records: Remember that CAA records apply to the root domain and its subdomains by default, unless a specific subdomain record is configured to override this setting. This means that a single CAA record can cover multiple subdomains, enhancing your security framework across your entire domain. 

 

By taking these factors into account, you can more effectively manage your domain’s security posture and ensure that your CAA records are set up correctly, providing the necessary protection against unauthorized certificate issuance. 

 

Why is the DNS CAA Resource Record Check Needed? 

The DNS CAA (Certificate Authority Authorization) resource record check is more than merely a technical mechanism; it serves as a crucial safeguard in the realm of digital security for several compelling reasons: 

Security Enhancement: The primary reason for implementing CAA records is to enhance security. By designating which Certificate Authorities (CAs) are permitted to issue certificates for a domain, CAA records effectively prevent unauthorized or malicious CAs from acquiring certificates. This measure is essential in mitigating risks associated with identity theft and phishing attacks, where attackers could take advantage of unregulated certificate issuance. 

Control Over Certificate Issuance: CAA records provide domain owners with better control over their security policies. By enabling them to specify precisely which CAs can issue certificates, these records ensure that only trusted entities can oversee the domain’s digital identity. This increased oversight significantly reduces the risk of both accidental and fraudulent certificate issuance. 

Compliance with Industry Standards: Since September 2017, it has been a mandatory requirement for CAs to perform a CAA record check prior to issuing certificates. This compliance enhances the security framework within which CAs function and demonstrates the industry’s commitment to maintaining best practices in certificate management. 

In summary, the DNS CAA resource record check is a crucial component in strengthening the security and integrity of online domains. By offering an extra layer of control and compliance, it allows domain owners to effectively manage their digital identities and mitigate risks associated with unauthorized certificate issuance.  

 

Risks of not having a CAA record 

Neglecting to implement a DNS CAA (Certificate Authority Authorization) record can leave your domain vulnerable to numerous security and compliance risks, which are essential for protecting your digital assets: 

 

Unauthorized Certificate Issuance: Without a CAA record, any trusted Certificate Authority (CA) is permitted to issue a certificate for your domain. This unrestricted capability elevates the risk of unauthorized or malicious certificates being granted, which can be exploited for phishing attacks or man-in-the-middle scenarios, significantly jeopardizing the integrity of your communications. 

Security Vulnerabilities: The lack of a CAA record renders your domain susceptible to security weaknesses within a CA’s validation or issuance processes. If a CA encounters vulnerabilities, your domain may experience heightened exposure to potential mis-issuance risks, placing it at a greater disadvantage in the security landscape. 

Lack of Control Over Certificate Issuance: Not having a CAA record means surrendering control over which CAs are authorized to issue certificates for your domain. This limitation curtails your ability to enforce specific security policies or preferences, exposing your domain to less reputable CAs that may not meet your security standards. 

  1. Compliance Risks: In environments where regulatory compliance is crucial, the absence of a CAA record can be perceived as a significant lapse in security practices. This oversight may affect your adherence to standards that emphasize domain security measures, potentially resulting in compliance penalties or damaging your reputation. 
  2. DNS Compromise Risks: If your DNS is compromised, an attacker could potentially remove existing security measures, including CAA records. This situation may enable unauthorized CAs to issue certificates for your domain, significantly increasing the risk of malicious activity. 

In summary, although the absence of a CAA record may not lead to immediate security breaches, it clearly heightens the risk of unauthorized certificate issuance and diminishes your control over domain security protocols. Domain owners should proactively implement CAA records as a vital component of a comprehensive security strategy. 

 

Summary 

The DNS CAA (Certificate Authority Authorization) resource record check is not just a technical mechanism; it is a vital safeguard in the digital security landscape for several compelling reasons, including preventing unauthorized certificate issuance, addressing security vulnerabilities, maintaining control over certificate issuances, mitigating compliance risks, and managing DNS compromise risks. Certificate Authorities (CAs) like DigiCert will check for the DNS CAA record to determine if it is configured correctly and whether they are authorized to issue S/MIME certificates. Users are encouraged to verify that their DNS CAA records are set up properly. 

Contact us

if you are interested in what we can do for your organisation with PKI / CLM management after reading our blog, please fill in the contact form below and we will contact you right away.