[insanitybit]

No, this is easily the biggest flaw in CAA - there is no way to discover which policy broke your access. I have reported this to Google multiple times, even sent this directly to a Google SecEng (a well known one) to route internally. The issue persists and makes configuring CAA extremely painful and error prone.

[kmeisthax]

I am convinced there's someone who thinks debuggable security policies are a security risk and deliberately designs security APIs to be as inscrutable as possible.