DNS / email · Check
CAA issuewild too broad — tightening wildcard issuance
When CAA `issuewild` allows any CA (or many CAs), the value of CAA as a defense against mis-issuance drops. Restrict `issuewild` to the specific CA(s) you actually use for wildcard certs.
Real-world risk
A wildcard issuewild does not meaningfully restrict which CA can issue wildcard certificates for your domain.
Fix steps (in order)
- Replace issuewild "*" with specific CA identifiers aligned to your wildcard certificate issuer.
Topic explainer
DMARC, SPF, and DKIM explained: the email authentication trio →
A practical guide to email authentication: what SPF, DKIM, and DMARC each do, why all three are needed, and how to roll out a DMARC policy that actually blocks spoofed mail.
Verify the fix in 30 seconds
Run a Scorifya scan on the affected host after deploy. The same finding id (dns_caa_issuewild_broad) clears once the externally-observable signal is in place.