TLS-RPT Checker

Learn how TLS-RPT provides visibility into email transport security and what our checker validates.

What is TLS-RPT?

SMTP TLS Reporting (TLS-RPT) is a standard that enables receiving servers to send reports about TLS connection successes and failures when delivering email to your domain. It provides visibility into how well your email transport security is working and helps identify configuration issues before they impact mail delivery.

TLS-RPT works alongside MTA-STS and DANE to create a complete email transport security solution. While MTA-STS defines your encryption policy, TLS-RPT tells you whether senders can successfully comply with it.

How TLS-RPT Works

TLS-RPT uses a simple mechanism:

  1. DNS TXT record – You publish a record at _smtp._tls.yourdomain.com specifying where reports should be sent.

  2. Report generation – When sending servers attempt to deliver mail to your domain, they track TLS negotiation outcomes.

  3. Daily reports – Senders compile their observations into JSON reports and deliver them to your specified reporting address.

The DNS Record

Your TLS-RPT record tells senders where to send reports. A typical record looks like:

v=TLSRPTv1; rua=mailto:[email protected]

You can specify multiple report destinations, including HTTPS endpoints for automated processing:

v=TLSRPTv1; rua=mailto:[email protected],https://reports.example.com/tlsrpt

Understanding Reports

TLS-RPT reports contain valuable information about connection attempts:

  • Successful connections – Confirmation that TLS negotiation worked properly
  • Policy failures – Cases where senders couldn't satisfy your MTA-STS or DANE policy
  • Certificate errors – Issues with your mail server certificates
  • Connection failures – Problems establishing TLS connections

Reports help you identify misconfigurations, expiring certificates, or network issues affecting your email security posture.

Relationship with MTA-STS

TLS-RPT and MTA-STS are designed to work together:

  • MTA-STS declares your transport security policy and tells senders to use encryption
  • TLS-RPT provides feedback on whether senders can comply with your policy

When deploying MTA-STS in testing mode, TLS-RPT reports are essential for identifying issues before switching to enforcement. They show you which senders are experiencing problems and why.

What MailHealth Checks

Our TLS-RPT checker validates your configuration by examining:

  • Record existence – Confirms the TLS-RPT TXT record is published at the correct DNS location
  • Record syntax – Verifies the version tag and reporting URI format are valid
  • Reporting destinations – Checks that mailto and HTTPS endpoints are properly formatted
  • Policy coordination – Reviews whether TLS-RPT is deployed alongside MTA-STS for complete coverage

Implementing TLS-RPT gives you visibility into your email transport security. Combined with MTA-STS, it ensures you can both enforce encryption and monitor compliance across the email ecosystem.

Ready to Check Your Domain?

Get a free, instant email deliverability report for your domain.

Check Your Domain