What is this
A CAA record (Certification Authority Authorization) specifies which certificate authorities (CAs) may issue certificates for your domain. Every public CA has been required to check CAA before signing since 2017.
Why it matters
Without CAA, any public CA could in principle issue a valid certificate for your domain after a misconfiguration or compromised account. CAA stops that by giving you a whitelist.
How to fix it
TransIP: DNS > new record > type CAA, name @, flag 0, tag issue, value "letsencrypt.org". Add a second for your backup CA and optionally an iodef record pointing at your security mailbox.
CloudFlare: DNS > Records > Add CAA. Pick Only allow specific hostnames or add multiple issue records.
Strato or Antagonist: Open DNS management and add CAA records for the CAs you use (letsencrypt.org, digicert.com, etc.). If you issue wildcards, configure issuewild separately.
Other: Add a CAA on the apex with tag issue and value of your CA's domain name. Add issuewild for wildcards and iodef for incident reporting.
Verify
dig CAA yourdomain.com +short. Or use SSL Labs or crt.sh to inspect which CAs recently issued for your domain.