TLS-RPT (SMTP TLS Reporting) is a mechanism defined in RFC 8460 that lets domain owners receive reports when a sending mail server cannot establish a TLS-encrypted connection to deliver email. It provides visibility into TLS failures that might otherwise go unnoticed.

How do I set up TLS-RPT?

Publish a TXT record at _smtp._tls.yourdomain.com with the value: v=TLSRPTv1; rua=mailto:tlsrpt@yourdomain.com. Replace the email address with where you want to receive reports. The record requires only the v= version tag and rua= reporting URI.

What is the difference between TLS-RPT and MTA-STS?

MTA-STS enforces TLS requirements for email delivery to your domain. TLS-RPT provides reports when TLS enforcement fails or TLS negotiation has issues. They are complementary - MTA-STS sets the policy, TLS-RPT gives you feedback about failures.

TLS-RPT Checker - Check SMTP TLS Reporting for Your Domain

Q: Is TLS-RPT required for email to work?

No. TLS-RPT is optional and does not affect email delivery. It is a reporting mechanism that gives you visibility into TLS failures. Your email will still be delivered without it.

Built for operators & agencies

Live DNS - no cached APIs

No login required

No data retention

Privacy first diagnostics

Prevents blacklisting - not causes it

Look up the TLS-RPT (SMTP TLS Reporting) record for your domain. TLS-RPT lets you receive reports from receiving mail servers when TLS encryption fails during delivery to your domain.

What is TLS-RPT?

TLS-RPT (SMTP TLS Reporting, defined in RFC 8460) is a mechanism that lets domain owners receive reports when a sending mail server has trouble establishing a TLS-encrypted connection to deliver email to their domain.

When a mail server cannot negotiate TLS with your mail server (because of a certificate error, missing MTA-STS policy, or TLS negotiation failure), it can send a JSON report to the address you specify in your TLS-RPT record. These reports help you detect and fix TLS configuration issues before they affect deliverability.

How to set up TLS-RPT

Publish a TXT record at _smtp._tls.yourdomain.com with the following format:

v=TLSRPTv1; rua=mailto:[email protected]

Replace [email protected] with an address where you want to receive the reports. Some DMARC report processors (like Postmark, Dmarcian, or Google Postmaster) also accept TLS-RPT reports at their aggregate reporting addresses.

TLS-RPT and MTA-STS

TLS-RPT is most valuable when used alongside MTA-STS (SMTP MTA Strict Transport Security). MTA-STS tells sending servers that they must use TLS to deliver email to your domain and that certain certificate conditions must be met. TLS-RPT then gives you visibility into cases where those TLS requirements were not met and delivery was affected.

Use the MTA-STS Checker to verify your MTA-STS policy is configured correctly alongside TLS-RPT.

TLS-RPT record format

Tag	Required	Description
`v=TLSRPTv1`	Yes	Version identifier. Must be the first tag.
`rua=`	Yes	Reporting URI. One or more `mailto:` or `https://` URIs where reports should be sent.

FAQ

Is TLS-RPT required for email to work?

No. TLS-RPT is optional and does not affect whether email is delivered. It is a reporting mechanism only. Without TLS-RPT, you simply do not receive reports when TLS failures occur. Adding it does not change how email is sent or received.

What is in a TLS-RPT report?

Reports are sent as JSON files and describe TLS negotiation results from each sending mail server. They include the number of successful and failed TLS sessions, failure types (certificate errors, policy mismatches, negotiation failures), and which sending servers were involved.

Who sends TLS-RPT reports?

Major mail providers including Google (Gmail), Microsoft (Outlook/Exchange), and others send TLS-RPT reports when they support the standard. Not all mail servers send reports, but coverage from large providers gives useful visibility into TLS issues.

My domain has no TLS-RPT record - is that a problem?

Not having a TLS-RPT record is fine if you are not using MTA-STS. If you set up MTA-STS, adding TLS-RPT alongside it is recommended so you have visibility into any TLS enforcement failures.