What are CAA Records?
CAA (Certificate Authority Authorization) records specify which certificate authorities (CAs) are allowed to issue SSL certificates for your domain. They act as a whitelist—only the CAs you authorize can create valid certificates for your Shopify store.
Think of CAA records as telling the certificate world: “Only these specific companies can vouch for my identity.”
Why CAA Records Matter for Shopify Merchants
Without CAA records, any certificate authority could issue a certificate for your domain. This creates risk:
Unauthorized Certificate Issuance
An attacker who compromises a CA, or finds one with weak validation, could get a certificate for your domain and use it for phishing.
Man-in-the-Middle Attacks
With a valid certificate, attackers can intercept traffic between customers and what they think is your store.
Brand Impersonation
Fake sites with real-looking certificates are more convincing to customers.
CAA records reduce this risk by limiting which CAs can issue certificates for you.
How CAA Records Work
When a certificate authority receives a request to issue a certificate for your domain:
- The CA looks up CAA records for your domain
- If CAA records exist, the CA checks if it’s on the authorized list
- If authorized, the CA can proceed with certificate issuance
- If not authorized (or CA is missing from list), the CA must refuse
This check is mandatory for all publicly trusted certificate authorities since 2017.
Understanding CAA Record Values
CAA records have three parts:
Flag
Usually 0. Used for future extensions.
Tag
The type of permission:
issue- Allow this CA to issue certificatesissuewild- Allow this CA to issue wildcard certificatesiodef- Email address for violation reports
Value
The CA’s domain or contact information.
Examples
yourstore.com. CAA 0 issue "letsencrypt.org"
yourstore.com. CAA 0 issue "digicert.com"
yourstore.com. CAA 0 issuewild "digicert.com"
yourstore.com. CAA 0 iodef "mailto:security@yourstore.com"Common CAA Configurations
Shopify Stores (typical setup)
If Shopify provides your SSL (most stores):
CAA 0 issue "letsencrypt.org"More Permissive (multiple providers)
CAA 0 issue "letsencrypt.org"
CAA 0 issue "digicert.com"
CAA 0 issue "sectigo.com"Restrictive (single provider with wildcards)
CAA 0 issue "digicert.com"
CAA 0 issuewild "digicert.com"Deny All Issuance
CAA 0 issue ";"This prevents any CA from issuing certificates—useful for domains that should never have certificates.
Setting Up CAA Records
Step 1: Identify Your Certificate Provider
Check who issues your SSL certificate. For Shopify, this is typically Let’s Encrypt.
Step 2: Access DNS Settings
Log into your domain registrar or DNS provider.
Step 3: Add CAA Records
Create CAA record(s) authorizing your certificate provider.
Step 4: Test Configuration
Use CAA lookup tools (like SSLMate’s CAA Record Helper) to verify.
Step 5: Monitor for Issues
Watch for certificate issuance problems after adding CAA records.
CAA for Shopify-Specific Scenarios
Standard Shopify Store
Shopify uses Let’s Encrypt for automatic SSL:
CAA 0 issue "letsencrypt.org"Using Cloudflare with Shopify
If Cloudflare provides your SSL:
CAA 0 issue "digicert.com"
CAA 0 issue "letsencrypt.org"
CAA 0 issue "pki.goog"Enterprise SSL Certificates
If you purchase premium SSL certificates:
CAA 0 issue "your-ca-here.com"Common CAA Problems
Too Restrictive
If you don’t include the right CAs, legitimate certificate issuance fails. Your SSL won’t renew and customers see security warnings.
Forgotten During Provider Changes
Switching DNS providers or SSL providers? Update CAA records or new certificates won’t issue.
Missing Wildcard Authorization
The issue tag doesn’t cover wildcards. If you need *.yourstore.com, you also need issuewild records.
Conflict with Subdomains
CAA records are inherited by subdomains. Make sure your configuration works for all subdomains that need certificates.
Best Practices
Start with What You Use
Only authorize CAs you actually use. Check your current certificate to see who issued it.
Include Backup CAs
Consider authorizing one or two backup CAs in case you need to switch providers.
Add Reporting
Use iodef to receive notifications if a CA rejects a certificate request for your domain.
Document Your Configuration
Record why you chose specific CAs so future changes don’t accidentally break things.
How Recon Helps
Recon monitors your domain security by:
- Checking CAA record configuration
- Verifying authorized CAs match your actual certificate provider
- Alerting you to CAA configuration issues
- Monitoring for unexpected certificate issuance
FAQ
Q: Do I need CAA records for my Shopify store?
A: While not strictly required, CAA records add a layer of security at no cost. They’re recommended, especially for established brands.
Q: Can CAA records break my SSL certificate?
A: Yes, if misconfigured. Only add CAA records after verifying which CA issues your certificate. An incorrect CAA record can prevent certificate renewal.
Q: What happens if I don’t have any CAA records?
A: Without CAA records, any CA can issue certificates for your domain. This is the default behavior and works fine, but you miss out on the additional security control.
Want us to monitor this for you?
Run a free brand security audit with Recon and see your vulnerabilities in minutes.
Run Free AuditRelated Articles
DNS Security for Shopify Merchants
Learn how DNS works and why proper configuration protects your Shopify store from impersonation attacks.
A Records and CNAME: Connecting Your Domain to Shopify
Learn the difference between A records and CNAME records and how to properly configure them for your Shopify store.
SSL Certificates: Securing Your Shopify Store's Connections
Understand SSL/TLS certificates, the padlock icon, and how secure connections protect your Shopify customers.