Merge pull request #665 from coel/leo/caa

onderay · web-flow · commit f9bac833b671 · 2026-02-13T15:59:03.000+11:00
diff --git a/src/content/docs/build/domains/organization-custom-domain.mdx b/src/content/docs/build/domains/organization-custom-domain.mdx
@@ -58,6 +58,8 @@ Instructions will vary depending on your domain provider. Here’s the general p
 2. Navigate to the page where you can add DNS records. 
 3. Use the details provided by Kinde to add CNAME DNS records.
 
+If your domain has **CAA (Certificate Authority Authorization)** records, you must allow both **ZeroSSL** (`sectigo.com`) and **Let's Encrypt** (`letsencrypt.org`), which Kinde uses to provision and renew SSL certificates. See [CAA records (if you use them)](/build/domains/pointing-your-domain/#caa-records-if-you-use-them) in the main custom domain guide for details and sample records.
+
 ## Step 3: Monitor for verification and SSL certificate provisioning
 
 1. Open the individual organization record.
diff --git a/src/content/docs/build/domains/pointing-your-domain.mdx b/src/content/docs/build/domains/pointing-your-domain.mdx
@@ -77,6 +77,22 @@ Apologies that we can’t offer instructions for all situations, as this will be
 
    </Aside>
 
+## CAA records (if you use them)
+
+If your domain has **CAA (Certificate Authority Authorization)** records, they restrict which certificate authorities can issue SSL certificates for your domain. Kinde provisions and renews certificates using **ZeroSSL** and **Let's Encrypt**, so you must allow both in your CAA records or certificate issuance will fail.
+
+Add CAA records that authorize both providers. For your custom domain (or the subdomain you use, e.g. `account`), add two CAA records like this:
+
+| Host | Record type | Value |
+|------|-------------|--------|
+| `account` (or your subdomain) | CAA | `0 issue "sectigo.com"` |
+| `account` (or your subdomain) | CAA | `0 issue "letsencrypt.org"` |
+
+- **ZeroSSL** uses the CA domain **sectigo.com**
+- **Let's Encrypt** uses the CA domain **letsencrypt.org**
+
+If you only list one CA in your CAA records, add the other. If you have no CAA records, you don't need to add any; certificate issuance will work as normal.
+
 ## Check verification status in Kinde
 
 Once you have created the DNS entries, Kinde will start the verification process. This can take anywhere from a few minutes to a couple of hours. When it completes, the verification status will change to 'Provisioned' and an SSL certificate will be provisioned. 
