Table of Contents

A Certification Authority Authorisation record (CAA) defines the certification authority (CA=Certificate Authority) that is authorized to issue an S/MIME for a domain. This means that no other certification authority can issue an S/MIME for this domain.

New: CAA Records for S/MIME

If a CA is to be authorised to issue an S/MIME certificate, a new property tag called ‘issuemail’ can be set. This currently applies to GlobalSign and Sectigo.
DigiCert will also offer the CAA record for S/MIME certificates by 13. March 2025.

Setting up a CAA record for S/MIME

You can create the CAA records in the DNS settings of the domain.

Domain	RR-Type	Value
example.com	CAA	0 issuemail "globalsign.com"

The entry in the Value column consists of the following subentries:

Flag: A value between 0-255, used to represent the "critical flag" according to RFC.
Tag: An ASCII string that represents the property. In our case issuemail: Authorizes the CA specified for "value" to issue the certificates.

Example according to BIND syntax:
example.com. 300 IN CAA 0 issuemail "globalsign.com"
example.com. 300 IN CAA 0 issuemail "sectigo.com"
example.com. 300 IN CAA 0 issuemail "digicert.com"

Overview of the valid values for the certification authorities

To grant authorization to a CA and its product lines:

globalsign.com
sectigo.com
digicert.com

Allow multiple CAs to issue certificates

If several CAs are to be authorized to issue certificates, several CAA records can be entered per domain.

Only the CAs named in the CAA records can issue S/MIMEs.
If certificates are to be issued for other CAs, the unneeded CAA record must be deleted or a new record must be created for the new CA.

CAA-Record for S/MIME

Setting up a CAA record for S/MIME

Overview of the valid values for the certification authorities

Allow multiple CAs to issue certificates