Network Diagnostic Tools

TLS-RPT Check

SMTP TLS reporting policy

What is TLS-RPT?

TLS-RPT (SMTP TLS Reporting) lets a domain receive daily reports about TLS connection failures from sending servers, so you can detect mail being delivered insecurely. IPeek reads the _smtp._tls TXT record and shows the reporting destinations. It complements MTA-STS and DANE by giving you visibility into how those policies perform in the wild.

How TLS-RPT reporting works

TLS-RPT is published as a single DNS TXT record at _smtp._tls.your-domain. The record holds a version tag and an rua= tag listing where reports should be sent, either a mailto address or an HTTPS endpoint. Sending servers that support the standard aggregate the results of their TLS negotiations with your MX hosts over a day and deliver a JSON report to those destinations. Each report counts successful and failed sessions and categorizes failures, such as certificate validation errors or STARTTLS being unavailable, giving you a feedback loop on real delivery.

How to read your TLS-RPT results

IPeek confirms whether the _smtp._tls TXT record exists and shows the rua destinations it parses. Verify the version is TLSRPTv1 and that each rua target is a valid mailbox or HTTPS URL you actually monitor. The record itself does not enforce anything; it only requests reports, so its presence means senders know where to send TLS failure data. Once reports arrive, look at the failure types: certificate-expired, validation failures, and starttls-not-supported each point to a specific fix on your receiving infrastructure before they cause silent delivery problems.

How TLS-RPT relates to MTA-STS and DANE

MTA-STS and DANE enforce TLS on inbound mail, but enforcement is only safe if you can see what it does to real traffic. TLS-RPT supplies that visibility: when you deploy MTA-STS in testing mode, the reports reveal which senders hit TLS failures before you switch to enforce. The same applies to DANE TLSA mismatches. Treat TLS-RPT as the monitoring layer for your TLS posture, deployed alongside, not instead of, the enforcement mechanisms, so you catch certificate and configuration problems early.

Frequently asked questions

What is the TLS-RPT DNS record?

It is a TXT record published at _smtp._tls.your-domain that requests TLS failure reports. The record contains a v=TLSRPTv1 version tag and an rua= tag specifying where reports go, as a mailto address or an HTTPS URL. Sending servers that support TLS-RPT use it to know where to deliver their daily aggregate reports about TLS connections to your domain.

What information is in a TLS-RPT report?

A TLS-RPT report is a JSON document summarizing one day of TLS negotiations between a sending server and your MX hosts. It counts successful and failed sessions and breaks failures down by type, such as expired certificates, certificate validation errors, or STARTTLS being unavailable. This lets you pinpoint which receiving hosts or certificates are causing insecure or failed deliveries.

Does TLS-RPT enforce TLS on email?

No. TLS-RPT is purely a reporting mechanism and enforces nothing on its own. Enforcement comes from MTA-STS or DANE, which require TLS and can block insecure delivery. TLS-RPT sits alongside those policies as a monitoring layer, giving you visibility into how often TLS succeeds or fails so you can deploy enforcement confidently.

How do I set up TLS-RPT?

Publish a TXT record at _smtp._tls.your-domain containing v=TLSRPTv1 and an rua= tag pointing to a mailbox or HTTPS endpoint you monitor, for example rua=mailto:tlsrpt@your-domain. Choose a destination you actually watch, since reports arrive daily as JSON. Pair it with MTA-STS or DANE so the reports describe how your enforced TLS policy is performing.

How does TLS-RPT work with MTA-STS?

TLS-RPT provides the visibility that makes MTA-STS safe to deploy. When you publish an MTA-STS policy in testing mode, sending servers report any TLS failures through TLS-RPT, so you see which senders would be blocked before switching to enforce. The two are designed to work together: MTA-STS sets the policy, and TLS-RPT tells you how it is performing in practice.

Related tools

Deutsch | English | Español | Français | Italiano | Português | Русский | Українська | 日本語 | 简体中文 | 한국어