Free tool

TLS-RPT check.

Check for SMTP TLS reporting records. Verify your _smtp._tls DNS record and reporting endpoints.

What is TLS-RPT?

TLS-RPT (SMTP TLS Reporting, RFC 8460) is a standard that lets you receive reports about TLS connection failures when other servers try to deliver email to your domain. It works alongside MTA-STS and DANE to give you visibility into encryption problems.

How it works

You publish a DNS TXT record at _smtp._tls.yourdomain.com specifying where reports should be sent. Sending mail servers that support TLS-RPT will send you daily JSON reports about TLS negotiation successes and failures.

What reports contain

TLS-RPT reports include: the sending server, your domain, whether TLS was successfully negotiated, failure types (certificate errors, handshake failures, policy mismatches), and how many messages were affected.

Why it matters

Without TLS-RPT, you have no visibility into whether inbound email is actually being encrypted. If your certificate expires or MTA-STS policy is misconfigured, you won't know until someone complains.

Setting up TLS-RPT

DNS TXT record


        _smtp._tls.yourdomain.com TXT "v=TLSRPTv1; rua=mailto:tls-reports@yourdomain.com"

Replace the email address with where you want to receive reports. You can also use https: endpoints for automated processing.

Related tools

MTA-STS check — TLS enforcement Mail TLS basics guide Security audit

Monitor TLS health

DNS Doctors can process your TLS-RPT reports, surface failures, and alert you when encryption breaks.

See pricing

Learn more

What is TLS-RPT and how to use reports Why TLS isn't enough without policy