Do ServiceNow instances have a CAA record and do they need a CAA record?Summary<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } A CAA (Certification Authority Authorization) DNS record allows domain owners to specify which certificate authorities are permitted to issue SSL/TLS certificates for their domain, helping prevent unauthorized certificate issuance. The record includes flags, tags (like "issue" or "issuewild"), and the authorized CA's domain, providing an additional layer of security against misissued certificates. Subdomains don't strictly need their own CAA records because CAA inheritance works up the DNS tree—if a subdomain lacks a CAA record, certificate authorities will check the parent domain's CAA record and apply those restrictions. However, you can set specific CAA records on subdomains if you want different certificate authorities to be authorized for them than for the parent domain, giving you granular control over certificate issuance at each level of your domain hierarchy. Commercial instances are assigned <instance>.service-now.com URLs. The domain for these instances, service-now.com, contains a CAA record. At the time of writing, the CAA record returns. 0issueletsencrypt.org 1m0issueentrust.net 1m0issuedigicert.com 1m0iodefmailto:domains-infrastructure@servicenow.com 1m For instances that also have a custom URL such as <custom subdomain>.<customer domain>, the CAA record can be defined by the domain owner at both the domain level and/or subdomain level if needed. Since the customer domain is not maintained by ServiceNow, such changes must be done by the customer's DNS administrators. Related Links<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Brief explanation regarding CAA: https://letsencrypt.org/docs/caa/ Sites that allow you to check CAA records: https://www.nslookup.io/domains/service-now.com/dns-records/caa/ https://caatest.co.uk/service-now.com