A CAA lookup that shows who can issue certificates
A CAA (Certification Authority Authorization) record is a DNS entry that names exactly which certificate authorities are allowed to issue SSL/TLS certificates for your domain. It's a security control: with it in place, a CA that isn't on your list is supposed to refuse to issue a certificate, which limits the damage if someone tries to obtain a fraudulent one. This CAA lookup reads those records straight from DNS and lays out the policy in plain terms — which CAs are authorized, whether wildcards are restricted separately, and where policy violations get reported.
Why check the CAA record when a certificate won't renew
The most common reason people run a CAA check is a renewal that suddenly fails. If your CAA record authorizes, say, DigiCert, but your automated renewal is trying to issue through Let's Encrypt, the CA will correctly refuse — and your certificate quietly expires, taking the site down with it. So if you're debugging a failed issuance, the first thing to confirm is that the CA you're renewing with actually appears in the domain's CAA record. This checker shows you that list directly, so you can spot a mismatch in seconds.
How CAA records are read up the tree
CAA uses what's called tree climbing: if the exact hostname has no CAA record, the certificate authority checks the parent domain, then its parent, and so on. That means the policy actually governing a subdomain might be published higher up. This tool follows the same climb and tells you which name the effective policy was found on — so you're seeing the record that a CA would actually apply, not just whether the exact name you typed has its own record.
No CAA record is normal — not a failure
One honest point worth stating plainly: having no CAA record at all is the default state for most domains, and it isn't a problem. It simply means any publicly-trusted CA may issue certificates for the domain, which is how the web worked before CAA existed. Adding a CAA record is optional hardening that lets you narrow issuance to specific CAs. So if this tool reports no record found, read that as "no restriction set," not as something broken — it only matters if restricting issuance is a goal for you.