CAA Record Analyzer
Review which certificate authorities may issue for your domain, including inherited parent-domain policy.
Best for security teams, domain owners, and compliance reviews validating certificate issuance policy before renewals, CA changes, or wildcard certificate requests.
What This Tool Checks
- Effective CAA policy resolution
- Parent-domain inheritance walk
- issue, issuewild, and iodef review
Why It Matters
Without CAA records, any publicly trusted certificate authority can issue certificates for your domain. A mis-issued certificate enables convincing phishing and traffic interception, and CAA is the control browsers and CAs actually enforce.
Best For
Best for security teams, domain owners, and compliance reviews validating certificate issuance policy before renewals, CA changes, or wildcard certificate requests.
What To Do Next
Use the effective-policy result to authorize only the CAs you use, add an iodef reporting contact, and re-test after publishing the records.
Related Resources
What does the CAA Record Analyzer look for?
CAA Record Analyzer focuses on effective caa policy resolution, parent-domain inheritance walk, issue, issuewild, and iodef review. It is designed to help teams identify this category of weakness quickly and then move into broader workflows if deeper follow-up is needed.
What is the difference between Quick and Comprehensive mode?
Quick mode stays public for focused diagnostics. Comprehensive mode is intended for authenticated workflows where users need saved history, richer follow-up, and broader account-linked execution.
When should I use the full Vulnify platform instead?
Use the full platform when you need more than one focused diagnostic, want to keep reports and history, or need scheduled scans, exports, and broader vulnerability coverage beyond caa record analyzer.