CAA Records Become Mandatory in 2027 – Is Your DNS Ready?
In May 2026, the CA/Browser Forum voted to make Certificate Authority Authorization (CAA) checking mandatory for publicly trusted Certificate Authorities from 2027.
For many organisations this won’t require any action. However, for businesses using automated certificate management – particularly with Let’s Encrypt – it’s worth understanding what this change means before it catches anyone out.
A Quick Refresher: What is a CAA Record?
A CAA (Certificate Authority Authorization) DNS record tells Certificate Authorities (CAs) which organisations are permitted to issue TLS certificates for your domain.
For example:
example.com. IN CAA 0 issue "letsencrypt.org"
This tells Certificate Authorities that only Let’s Encrypt is authorised to issue certificates for example.com.
If no CAA record exists, the current behaviour is effectively:
“Any publicly trusted CA may issue a certificate.”
That’s why many organisations have never needed to think about CAA records.
What’s Changing?
The CA/Browser Forum has voted to strengthen the use of CAA from 2027.
CAA checking already exists today, but the new requirements mean Certificate Authorities will be expected to rely on CAA records much more consistently as part of certificate issuance.
While this is a positive security improvement, it does introduce a few practical considerations.
Potential Issue #1: Not Every DNS Provider Supports CAA
Most modern DNS providers support CAA records, but not all do.
If your DNS platform cannot publish CAA records, you may find yourself limited as Certificate Authorities tighten their issuance processes over the coming years.
For organisations using older hosting providers or bundled DNS services, it’s worth checking support now rather than during an emergency certificate renewal.
Potential Issue #2: CAA Records Can Accidentally Break Other Certificates
This is the one that catches people out.
Suppose you add:
CAA 0 issue "letsencrypt.org"
to support your Let’s Encrypt certificates.
That doesn’t simply “enable” Let’s Encrypt.
It also says only Let’s Encrypt is allowed to issue certificates for your domain.
If another team later requests a certificate from DigiCert, Sectigo, GlobalSign, or another public CA, issuance will fail.
This often happens in organisations where:
- Internal systems use Let’s Encrypt.
- Microsoft 365 or other SaaS platforms obtain certificates through another CA.
- External suppliers manage certificates independently.
- Different departments purchase certificates from different providers.
Without coordination, a well-intentioned CAA record can become an unexpected roadblock.
Similar to SPF
CAA records have a lot in common with SPF records for email.
No SPF record generally means:
“No restrictions.”
Adding an SPF record suddenly defines who is allowed to send mail.
CAA works in much the same way.
No CAA record means:
“Any trusted Certificate Authority may issue a certificate.”
Once you add one, you’re explicitly defining who can.
What Should You Do?
There’s no need to panic, but this is a good opportunity to review your certificate management.
Ask yourself:
- Which Certificate Authorities do we currently use?
- Do all of our domains use the same CA?
- Does our DNS provider support CAA records?
- Are certificates requested by different teams or third-party suppliers?
Understanding the answers now will make any future transition considerably smoother.
Our Advice
For many small and medium-sized businesses, certificate management has become almost invisible thanks to automation.
That’s a good thing – until a small DNS change unexpectedly prevents a certificate from renewing.
Before adding CAA records, make sure you have a complete picture of every service that requests certificates for your domains. A single restrictive CAA record can have wider consequences than many people realise.
If you’re unsure how your domains are currently managed, now is a good time for a review. It’s much easier to make these changes on your own schedule than during an expired certificate incident.
For anyone wanting a refresher on CAA records, Let’s Encrypt has an excellent overview.
Need Help
Not sure how to navigate this change? Contact us


