What's Changing?
GlobalSign is planning to implement a CAA check before issuing any S/MIME Certificate. This additional step will provide our customers with the ability to ensure that they have authorized us to issue certificates for their domains.
Why the change?
In accordance with the new CA/B Forum guidelines for S/MIME Baseline requirements, effective from September 15, 2024, additional security measures are being introduced. Certification Authorities (CAs) are now required to check user DNS Records for the "issuemail" property tag and only issue certificates if authorized. If no "issuemail" property tag is defined by the user in DNS, CAs can continue to issue certificates as usual.
When?
GlobalSign will implement this check starting from June 24th, 2024.
Recommended actions
There is no immediate action required. However, if you wish to authorize GlobalSign against your domain for S/MIME Certificate issuance, you can set a new property tag - "issuemail" - and allow "Globalsign.com" against it in your respective DNS Manager. The setting should appear as follows in your DNS Entry: CAA 0 issuemail “Globalsign.com”
Note that once you set this new tag in your DNS account, it may take up to 48 hours before GlobalSign is recognized as an authorized CA.
If you choose not to make any changes in your DNS settings, no further action is required on your part and you can continue issuing certificates from us as usual. However, if you want to ensure that only GlobalSign is permitted for issuance related to S/MIME Certificates, please set the "issuemail" tag with "Globalsign.com" in your DNS.
Please find more information on our support page; CAA Checking for S/MIME Certificates