TLS-RPT (SMTP TLS Reporting), defined in RFC 8460, is a standard that allows domain owners to receive daily reports about TLS connection failures when other servers try to send email to their domain. It provides visibility into email transport security issues that would otherwise go unnoticed.

How TLS-RPT Works

You publish a TXT record at _smtp._tls.yourdomain.com specifying where to send reports. When a sending server encounters a TLS issue while delivering mail to your domain, it sends a JSON report to the specified address.

Example TLS-RPT Record

v=TLSRPTv1; rua=mailto:[email protected]

What Reports Include

The sending organization and contact information
Date range covered by the report
Details of TLS negotiation failures (certificate errors, protocol mismatches, etc.)
MTA-STS policy failures (if MTA-STS is deployed)
DANE validation failures (if DANE/TLSA records are published)

Report Destinations

Reports can be sent to:

mailto: — Reports sent as email attachments (most common)
https: — Reports POSTed to a web endpoint (for automated processing)

TLS-RPT and MTA-STS

TLS-RPT is the companion protocol to MTA-STS. While MTA-STS enforces TLS connections, TLS-RPT provides the feedback loop to detect problems. Deploying both together gives you encryption enforcement with full visibility. Use our MTA-STS tool to set up enforcement.

Why TLS-RPT Matters

Without TLS-RPT, TLS failures between mail servers are invisible. You would not know if certificate misconfigurations, expired certificates, or network issues are causing email to be delivered without encryption, or not delivered at all when MTA-STS enforcement is active. TLS-RPT closes this visibility gap.

TLS-RPT Checker & Generator

What is TLS-RPT?