Menu
Fix deliverability Security Pricing
Theme
Deliverability

What Is TLS-RPT and How to Use Reports

Interpreting SMTP TLS failure reports, understanding what failure types to watch for, and setting up TLS-RPT reporting for your domain step by step.

January 27, 2026

TLS-RPT (SMTP TLS Reporting, defined in RFC 8460) gives you visibility into whether email sent to your domain is actually being encrypted. Without it, TLS failures are silent — email still gets delivered, just in plaintext where anyone on the network can read it.

How TLS-RPT works

You publish a DNS TXT record at _smtp._tls.yourdomain.com specifying where to send reports. Sending mail servers that support TLS-RPT will send you daily JSON reports about TLS negotiation successes and failures when delivering to your domain.

_smtp._tls.yourdomain.com TXT "v=TLSRPTv1; rua=mailto:tls-reports@yourdomain.com"

What reports contain

Each report is a JSON document covering a 24-hour period. Key fields include:

  • organization: The sending organization (e.g., Google, Microsoft)
  • date-range: The time period covered
  • policies: MTA-STS or DANE policies detected for your domain
  • failure-details: Specific TLS failures, including type, sending MTA, receiving MX, and message count

Common failure types

  • starttls-not-supported: The receiving server doesn't support STARTTLS. Unusual for modern mail servers — investigate if you see this.
  • certificate-expired: Your mail server's TLS certificate has expired. Renew it immediately.
  • certificate-host-mismatch: The certificate doesn't match your MX hostname. Check that your MX records match the certificate's subject/SAN.
  • sts-policy-fetch-error: The sender couldn't fetch your MTA-STS policy file. Check the HTTPS hosting at mta-sts.yourdomain.com.
  • sts-policy-invalid: Your MTA-STS policy file has syntax errors or the MX patterns don't match.
  • validation-failure: TLS negotiation failed for an unspecified reason. May indicate an outdated TLS version or cipher mismatch.

What to monitor

Set up alerting for these scenarios:

  • Any new failure type: If you've been clean and a new failure appears, investigate immediately
  • Certificate errors: These often indicate an expired or misconfigured certificate
  • Policy fetch errors: Your MTA-STS hosting may be down
  • Sudden increase in failures: Could indicate a configuration change or attack

Processing reports

TLS-RPT reports are JSON, making them easy to parse programmatically. For small domains, email delivery is fine — just review the reports manually. For larger deployments, consider:

  • Using an HTTPS endpoint (rua=https://...) for automated processing
  • Aggregating reports across all your domains
  • Setting up dashboards to track TLS success rates over time
  • Alerting on any failure that exceeds a threshold

Getting started

TLS-RPT is one of the simplest DNS records to deploy. It requires no infrastructure changes — just a single TXT record. Deploy it first, before MTA-STS, to establish a baseline of your TLS health. Then use the reports to guide your MTA-STS deployment.

Related tools

/tools/tls-rpt-check /tools/mta-sts-check /tools/mail-tls-basics Full deliverability checkup

Related posts

What Is MTA-STS and Why It Matters
How MTA-STS protects your inbound email from SMTP downgrade attacks. Includes deployment steps, testing mode, and common errors to avoid.
Why TLS Isn't Enough Without Policy
Why having TLS on your mail server doesn't guarantee email is encrypted in transit, and what policy mechanisms like MTA-STS and TLS-RPT close the gap.
Need help with this?
DNS Doctors offers continuous monitoring and white-glove managed DNS. Free tools to start, managed plans to keep it healthy.