low DNS

TLS-RPT

TLS-RPT (TLS Reporting) is a DNS record that tells sending mail servers where to send reports when they encounter TLS issues while delivering email to your domain. These reports help you identify mail delivery failures caused by TLS misconfigurations.

What SecurityStatus Checks

Whether a _smtp._tls TXT record exists for your domain
Whether the reporting address in the record is reachable
Correct TLS-RPT record syntax and version

Why This Matters

Without TLS-RPT, TLS delivery failures are silent — you have no visibility into whether email is being rejected or delivered insecurely to your mail servers. TLS-RPT reports are essential for diagnosing MTA-STS enforcement issues.

How to Fix It

1

Add the TLS-RPT DNS record

Add a TXT record: `_smtp._tls.yourdomain.com TXT "v=TLSRPTv1; rua=mailto:tls-reports@yourdomain.com"`. Use a dedicated mailbox or a service like Postmark's DMARC reporting that also handles TLS-RPT.
2

Set up a mailbox to receive reports

Reports are sent as JSON files attached to email. Consider a dedicated address or a reporting service that parses and displays the reports for you.
3

Review reports regularly

After enabling TLS-RPT, check reports weekly for the first month. Look for delivery failures that may indicate TLS misconfigurations on your MX servers.

Frequently Asked Questions

What format are TLS-RPT reports in?

TLS-RPT reports are JSON files sent as email attachments, typically from the sending mail server's postmaster address. They include details on delivery attempts, TLS negotiation results, and any failures.

Do I need MTA-STS to use TLS-RPT?

No, but they work together. TLS-RPT also reports on DANE (DNSSEC-based authentication) failures. You can use TLS-RPT even without MTA-STS to get visibility into TLS delivery failures.

Related Guides

Check Your Domain Now

Run all 38 security checks including TLS-RPT and get your domain's security grade in under 2 minutes.

Scan Your Domain Free