Adding Support for New CAA Record Tags

At DNSimple, security and standards compliance are two of our top priorities, and we're excited to announce we now support two new tags for DNS CAA (Certification Authority Authorization) records: contactemail and contactphone. We're making these changes as a result of your feedback — especially from Enterprise customers who want tighter control and better visibility over the certificate issuance process.

This update ensures customers across all DNSimple plans can:

• Adhere to the latest security standards.
• Ensure compatibility with industry practices.
• Maintain trust in their certificate management processes.

With these new tags, you can now specify verified contact methods that Certificate Authorities (CAs) must use to confirm domain ownership before issuing SSL certificates, ensuring a smoother, faster, more secure certificate issuance process.

What are CAA record tags?

CAA records are DNS records that allow domain owners to specify which Certificate Authorities are permitted to issue SSL certificates for their domains. If no CAA record is present, any CA is allowed to issue a certificate for the domain. If a CAA record is present, only the CAs listed in the record(s) are allowed to issue certificates for that hostname. CAA record tags allow you to choose how you want certificates to be issued by the CA.

These records can set policy for the entire domain, or for specific hostnames, and are inherited by subdomains. For example, a CAA record set on example.com also applies to subdomain.example.com.

For CAA record examples,(read this support article)[https://support.dnsimple.com/articles/caa-record/#record-examples]. To learn how to set up CAA DNS records, view our Managing CAA Records article.

How do the new record tags work?

contactemail and contactphone tags let domain owners specify how CAs should reach out to confirm certificate requests. This enables CAs to automatically validate SSL certificate requests by emailing or calling designated contacts.

DNSimple is among the first DNS providers to fully support these new CAA record tags, and implementing them gives you a more secure, standards-compliant domain management process. This is part of our larger effort to bring our customers:

• Enhanced security: Control exactly who can issue SSL certificates for your domain.
• Fast issuance: Enable automated validation with a verified contact email.
• Complete compliance: Stay ahead of CA/Browser Forumstandards and requirements with full implementation of the latest CAA specifications.

Get all the details about the CA/Browser Forum Baseline Requirements for contactphone and contactemail.

Keep your domains safe and compliant

Whether you're managing a personal site or handling thousands of domains for a large corporation, DNSimple gives you access to the latest CAA record features to help keep your domains safe and compliant.

You can start adding contactemail and contactphone tags to your CAA records today. If you have questions or need help configuring your DNS settings, just contact our support team, and we'll be happy to help. Have more features you'd like to see us add? Get in touch — we'd love to hear from you.

Not using DNSimple yet? Give us a try free for 30 days, and experience all the simplicity and innovation we bring to your DNS management.

Share on Twitter and Facebook

Guillermo Gutiérrez

Father, husband, software developer, amateur cook and baker, coffee enthusiast, maker aficionado, and Oxford comma fan.