CAA records for S/MIME certificates will be verified from September 2024
From September 2024, CAA records in the Domain Name System (DNS) will also be verified when issuing S/MIME certificates. Previously, this was only done when issuing SSL/TLS certificates.
What does CAA mean?
DNS Certification Authority Authorisation (CAA) is a security mechanism in the Domain Name System (DNS) that controls the issuing of SSL/TLS and S/MIME certificates. CAA records allow domain owners to specify which certification authorities (CAs) are authorised to issue certificates for their domain. This reduces the risk of an unauthorised CA issuing a certificate for the domain, which could lead to security problems. The check of CAA records is based on the specifications of RFC 9495.
How does the CAA verification work?
First, the domain owner creates one or more CAA records in the DNS zone of his domain. Once this has been done, the domain owner can apply to a CA for an SSL/TLS or S/MIME certificate for their domain. Before the CA issues a certificate, it must query the CAA record of the domain. This is done by a DNS query of the CAA record for the domain. If the CA is listed as authorised in the CAA record, it will proceed with issuing the certificates. If this is not the case, it rejects the issue and reports an incident if necessary.
A typical CAA record has the following format:
example.com CAA 0 issuemail "ca.example"
- example.com: The domain to which the CAA record applies.
- 0: Flags (usually 0, but can be different in special cases).
- issuemail: Specifies which CA is authorised to issue a certificate.
- “ca.example”: The name of the CA that is authorised.
What does the CAA verification mean for me?
This change planned for September 2024 has no impact on existing S/MIME certificates. However, if a domain has one or more CAA records with the property tag ‘issuemail’, but none of these records list the CA you are using as an authorised issuer, no new S/MIME certificates can be issued for this domain (or subdomain).
If you have created a CAA record in the DNS, this CAA record must contain the CA you are using as an authorised issuer.
Are you using the latest version of NoSpamProxy?
You can always find the latest versions of NoSpamProxy Server on our download page. Update now and benefit from maximum email security and the latest functions.