Use CAA Records to Prevent Issuing Unapproved S/MIME Certificates
Simone Carletti
on
In January 2024, the CA/Browser Forum voted to adopt the CAA record (Certification Authority Authorization) for S/MIME (Secure/Multipurpose Internet Mail Extension) certificates, in addition to server certificates – more commonly known as SSL/TLS certificates.
The vote passed. The new recommendation is to adopt the new CAA features by September 15, 2024. Supporting these features will become mandatory as of March 15, 2025.
Today, we are releasing issuemail support to anyone using CAA records at DNSimple. You can start planning updates to your organizations' CAA configurations ahead of time, and test the changes before they become mandatory.
What is S/MIME and why does issuemail in CAA records matter?
S/MIME certificates are usually referred to as email signing certificates or personal authentication certificates. S/MIME certificates are an end-to-end encryption solution for MIME data, a.k.a. email messages. S/MIME provides sender authentication and identity, message integrity, data privacy, and data security.
With the introduction of the S/MIME Baseline Requirements to CAA records, there is now a place to provide standard requirements for S/MIME certificate issuance.
CAA was initially formalized in 2013 with the RFC 6844. However, the adoption only became popular after March 2017, after the CA/Browser Forum voted to make CAA checking mandatory. DNSimple was ahead of the curve, and introduced support for the CAA record in January that year.
The new CAA features for S/MIME are formalized with the RFC 9495 that introduces a new property called issuemail. Let's see how it works.
Creating a CAA record with issuemail
Creating or updating CAA records for S/MIME isn't much different from what you've experienced so far with TLS/SSL certificates.
To create a new CAA record, go to the record editor for the zone. Click Add Record > CAA to go to the new record form.
Once in the record form, select the Tag issuemail, and enter the appropriate Value. Like for SSL/TLS certificate authorities, Value is expected to be the domain name of the CA authority.
Click Add Record to create the record.
You can use the CAA record Simple Editor to edit the CAA record manually for full control.
We also support the "empty" value, which is represented by a single ; character. This is useful if, for example, you want to entirely prohibit the issuance of S/MIME certificates for your domain.
S/MIME is good for business, and CAA is good for S/MIME
Your business can and should implement S/MIME to protect your email reputation, help combat phishing attempts by confirming sender identity, and reduce the likelihood of man-in-the-middle attacks injecting viruses and malware into your emails. With the addition of issuemail to CAA records, you can now also ensure only the certificate authorities you use can issue certificates, or ensure no S/MIME certificates may be issued at all for certain domains.
Have more questions or want to learn more? Take a look at our support article for managing CAA records, or drop us a line — We're always happy to help.
Not using DNSimple yet? Give us a try free for 30 days, and experience best-in-class domain management.
Simone Carletti
Italian software developer, a PADI scuba instructor and a former professional sommelier. I make awesome code and troll Anthony for fun and profit.
We think domain management should be easy.
That's why we continue building DNSimple.
