Mandatory CAA Verification for S/MIME Certificates from March 15

(March 5, 2025) From March 15, a new obligation comes into effect for certificate authorities issuing S/MIME certificates – they must verify CAA records in DNS before issuing them. This change gives domain owners more control over who can issue certificates for their email communication.

From March 15, all certificate authorities (CA) issuing publicly trusted S/MIME certificates will have to start checking CA Authorization (CAA) records in compliance with the S/MIME Baseline Requirements.

CAA allows domain owners to specify which CA can issue their digital certificates. For S/MIME, a new "issuemail" tag is used in DNS according to the RFC 9495 standard.

The use of CAA is optional for domains, but from March 15, public CA will be required to check CAA records before issuing an S/MIME certificate.