• Link to LinkedIn Link to LinkedIn Link to LinkedIn
  • Link to Facebook Link to Facebook Link to Facebook
  • Link to Bluesky Link to BlueskyLink to Bluesky
  • Link to Mastodon Link to MastodonLink to Mastodon
  • Link to Mail Link to Mail Link to Mail
  • Link to Rss Link to Rss Link to Rss
  • CAA Records Become Mandatory in 2027 – Is Your DNS Ready?
Contact us: 01276 818576
Dogsbody Technology
  • Emergency support
  • Infrastructure Services
    • Infrastructure Design
    • Infrastructure Build
    • Server management and monitoring
    • In-life Support
    • Pen Testing & Audit
    • Hosting Services
      • Plesk Hosting
      • VPS & Dedicated Servers
      • Tor Hosting
  • Happy Customers
  • About Us
  • Careers
    • Write your own job
  • News & Views
  • Contact Us
  • Menu Menu

CAA Records Become Mandatory in 2027 – Is Your DNS Ready?

14 Jul 2026/0 Comments/in Security/by Claire Christmas

In May 2026, the CA/Browser Forum voted to make Certificate Authority Authorization (CAA) checking mandatory for publicly trusted Certificate Authorities from 2027.

For many organisations this won’t require any action. However, for businesses using automated certificate management – particularly with Let’s Encrypt – it’s worth understanding what this change means before it catches anyone out.

A Quick Refresher: What is a CAA Record?

A CAA (Certificate Authority Authorization) DNS record tells Certificate Authorities (CAs) which organisations are permitted to issue TLS certificates for your domain.

For example:

example.com.    IN CAA 0 issue "letsencrypt.org"

This tells Certificate Authorities that only Let’s Encrypt is authorised to issue certificates for example.com.

If no CAA record exists, the current behaviour is effectively:

“Any publicly trusted CA may issue a certificate.”

That’s why many organisations have never needed to think about CAA records.

What’s Changing?

The CA/Browser Forum has voted to strengthen the use of CAA from 2027.

CAA checking already exists today, but the new requirements mean Certificate Authorities will be expected to rely on CAA records much more consistently as part of certificate issuance.

While this is a positive security improvement, it does introduce a few practical considerations.

Potential Issue #1: Not Every DNS Provider Supports CAA

Most modern DNS providers support CAA records, but not all do.

If your DNS platform cannot publish CAA records, you may find yourself limited as Certificate Authorities tighten their issuance processes over the coming years.

For organisations using older hosting providers or bundled DNS services, it’s worth checking support now rather than during an emergency certificate renewal.

Potential Issue #2: CAA Records Can Accidentally Break Other Certificates

This is the one that catches people out.

Suppose you add:

CAA 0 issue "letsencrypt.org"

to support your Let’s Encrypt certificates.

That doesn’t simply “enable” Let’s Encrypt.

It also says only Let’s Encrypt is allowed to issue certificates for your domain.

If another team later requests a certificate from DigiCert, Sectigo, GlobalSign, or another public CA, issuance will fail.

This often happens in organisations where:

  • Internal systems use Let’s Encrypt.
  • Microsoft 365 or other SaaS platforms obtain certificates through another CA.
  • External suppliers manage certificates independently.
  • Different departments purchase certificates from different providers.

Without coordination, a well-intentioned CAA record can become an unexpected roadblock.

Similar to SPF

CAA records have a lot in common with SPF records for email.

No SPF record generally means:

“No restrictions.”

Adding an SPF record suddenly defines who is allowed to send mail.

CAA works in much the same way.

No CAA record means:

“Any trusted Certificate Authority may issue a certificate.”

Once you add one, you’re explicitly defining who can.

What Should You Do?

There’s no need to panic, but this is a good opportunity to review your certificate management.

Ask yourself:

  • Which Certificate Authorities do we currently use?
  • Do all of our domains use the same CA?
  • Does our DNS provider support CAA records?
  • Are certificates requested by different teams or third-party suppliers?

Understanding the answers now will make any future transition considerably smoother.

Our Advice

For many small and medium-sized businesses, certificate management has become almost invisible thanks to automation.

That’s a good thing – until a small DNS change unexpectedly prevents a certificate from renewing.

Before adding CAA records, make sure you have a complete picture of every service that requests certificates for your domains. A single restrictive CAA record can have wider consequences than many people realise.

If you’re unsure how your domains are currently managed, now is a good time for a review. It’s much easier to make these changes on your own schedule than during an expired certificate incident.

For anyone wanting a refresher on CAA records, Let’s Encrypt has an excellent overview.

Need Help

Not sure how to navigate this change? Contact us

 

Tags: CAA record, Certificate Authorities, Certificate Authority Authorization, dns
Share this entry
  • Facebook Facebook Share on Facebook
  • Whatsapp Whatsapp Share on WhatsApp
  • Linkedin Linkedin Share on LinkedIn
  • Reddit Reddit Share on Reddit
  • Mail Mail Share by Mail
https://www.dogsbody.com/wp-content/uploads/PHP-8.2-December-2026_3-months.jpg 427 640 Claire Christmas https://www.dogsbody.com/wp-content/uploads/Dogsbody-site-logo-1.png Claire Christmas2026-07-14 17:03:122026-07-14 17:03:12CAA Records Become Mandatory in 2027 – Is Your DNS Ready?
You might also like
What’s a hosts file?
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

We are Dogsbody. We take the pain away from building, securing and maintaining IT infrastructure.

Find out how we can help your business

Everything we do is about security. Our team is our strength.

Get in touch

Latest thoughts and news

  • CAA Records Become Mandatory in 2027 – Is Your DNS Ready?
  • Our Trusted Suppliers after 15+ Years
  • Avoid Surprise AWS RDS Charges in 2026
  • A Season of Giving: Dogsbody Technology Charity Support 2025
  • Wrapping Up 2025: Our Christmas Hours
Search Search

Useful links

  • About Us
  • Dogsbody News & Views
  • Contact Us

Linux & cloud services

  • Infrastructure Design
  • Infrastructure Build
  • In life Support
  • Infrastructure Audit
  • Penetration Testing
  • Hosting Services

In life support

  • Overview
  • Helpdesk support
  • Server management and monitoring

Careers

  • Working at Dogsbody
  • Write your own job description
© Copyright 2010-2026 Dogsbody Technology Ltd - Registered in England and Wales 07236558
  • Link to LinkedIn Link to LinkedIn Link to LinkedIn
  • Link to Facebook Link to Facebook Link to Facebook
  • Link to Bluesky Link to BlueskyLink to Bluesky
  • Link to Mastodon Link to MastodonLink to Mastodon
  • Link to Mail Link to Mail Link to Mail
  • Link to Rss Link to Rss Link to Rss
  • Contact us
  • Terms of use
  • Privacy policy
Link to: Our Trusted Suppliers after 15+ Years Link to: Our Trusted Suppliers after 15+ Years Our Trusted Suppliers after 15+ Years
Scroll to top Scroll to top Scroll to top