Learn which CAA records you need to allow Webflow to provision and renew SSL certificates.
If your domain uses CAA (Certification Authority Authorization) DNS records, you’ll need to explicitly allow Webflow’s certificate providers to issue SSL certificates on your behalf. This ensures your site loads securely over HTTPS.
CAA records are a type of DNS record that lets domain owners specify which certificate authorities (CAs) can issue SSL/TLS certificates for their domain. If a CA isn’t listed in your CAA records, it won’t be allowed to issue a certificate for your site.
CAA records are often used as a security best practice to prevent unauthorized certificate issuance.
Why do I need to update my CAA records?
Webflow provisions SSL certificates through two certificate authorities:
If you use or want to add CAA records, you must explicitly allow both certificate providers. Otherwise, Webflow won’t be able to issue or renew SSL certificates for your domain which may result in an insecure or inaccessible site.
What to add to DNS settings
If you manage your own DNS and use CAA records, make sure to add both of these records:
You’ll add these records where you manage your domain’s DNS settings (typically with your domain registrar or DNS host).
What happens if I don’t update my CAA records?
If your CAA records don’t allow both Let’s Encrypt and Google Trust Services:
SSL certificates for your site may fail to provision or renew
Visitors may see a security warning when trying to access your site
Your site may appear as not secure or become inaccessible via HTTPS
Do I need to do anything if I’m not using CAA records?
Nope! If you don’t use CAA records, Webflow will continue managing SSL certificates for your domain automatically — no action needed.