easyDNS has recently added support for the ‘issuemail’ tag in CAA (Certification Authority Authorization) DNS records.
This new feature allows domain owners to specify which Certificate Authorities (CAs) are permitted to issue S/MIME (Secure/Multipurpose Internet Mail Extensions) certificates for email addresses associated with their domain. By implementing this tag, domain administrators gain greater control over the issuance of S/MIME certificates, which are used for securing email communications through digital signatures and encryption.
The ‘issuemail’ tag functions similarly to the existing ‘issue’ tag used for web server certificates but is specifically designed for email security.
By adding this tag to your CAA records, you can explicitly authorize or restrict certain CAs from issuing S/MIME certificates for your domain’s email addresses (think of it like “SPF, but for issuing SSL and TLS certs”)
This added layer of security helps prevent unauthorized CAs from issuing certificates, reducing the risk of potential email spoofing or man-in-the-middle attacks.
For the gory details on the technical specifics, refer to RFC 9495.
To set one for your zones, log into the member control panel and edit your CAA DNS entries 👇
Leave a Reply