Free TLS-RPT Record Checker

What is TLS-RPT?

SMTP TLS Reporting (TLS-RPT, RFC 8460) is a standard that enables domains to receive reports about TLS connection failures when other mail servers attempt to deliver email to them. It is the companion reporting mechanism for MTA-STS and DANE, providing visibility into whether sending servers can successfully establish encrypted connections.

A TLS-RPT record is a TXT record published at _smtp._tls.yourdomain.com that starts with v=TLSRPTv1 followed by a rua tag specifying where reports should be sent. Reports are delivered as JSON documents (RFC 8460, Section 4) either via email or HTTPS POST.

Tag Reference

Report Delivery Methods

How to Set Up TLS-RPT

1. Choose a reporting destination — either an email address or an HTTPS endpoint.
2. Add a DNS TXT record at _smtp._tls.yourdomain.com with v=TLSRPTv1; rua=mailto:tls-reports@yourdomain.com.
3. Ensure the receiving mailbox or endpoint can handle gzipped JSON reports.
4. (Recommended) Deploy MTA-STS or DANE alongside TLS-RPT — reporting without enforcement provides limited value.

What Reports Contain

TLS-RPT reports are JSON documents sent daily by mail servers that attempted delivery to your domain. Each report includes the sending server's identity, the time period covered, policy details (MTA-STS or DANE), and a summary of successful and failed TLS connections including failure reasons such as certificate errors, handshake failures, or policy mismatches.

Limitations

• Reporting only — TLS-RPT does not enforce TLS; it only reports on connection outcomes. Pair with MTA-STS or DANE for enforcement.
• Adoption varies — Not all sending servers generate TLS-RPT reports. Major providers (Google, Microsoft, Yahoo) do, but smaller servers may not.
• Report volume — High-traffic domains may receive large volumes of daily reports; consider using an HTTPS endpoint or a dedicated reporting service.