DNS name
TLS-RPT is published as a TXT record at
_smtp._tls.example.com.
Email · TLS · TLS-RPT
TLS-RPT check
Check a domain’s TLS-RPT record and see where SMTP TLS delivery reports are sent.
Enter only the domain name, for example domain.com, without
the https:// prefix.
Enter a domain and start the check.
Guide · TLS-RPT
What does this TLS-RPT check do?
The TLS-RPT check shows whether a domain has published an SMTP TLS Reporting record. TLS-RPT tells sending mail services where reports about email TLS delivery issues can be sent.
Version
The record starts with v=TLSRPTv1, which identifies the
TLS-RPT version.
rua
The rua value defines the reporting address, for example
mailto:tls-rpt@example.com.
MTA-STS companion
TLS-RPT is especially useful together with MTA-STS because it helps detect TLS delivery problems.
Why does TLS-RPT matter?
When MTA-STS or email TLS protection is in use, TLS problems should be noticed early. TLS-RPT provides a way to receive reports about situations where a sending server cannot establish a secure connection to the recipient’s MX server.
TLS-RPT does not itself enforce TLS and does not replace MTA-STS, DANE or DNSSEC. Its role is reporting: it makes delivery problems more visible.
How to interpret the result
A good result means that the TXT record exists, the version is
TLSRPTv1 and the record contains at least one rua
reporting address. If no record is found, TLS-RPT is not enabled for the domain.
If there are multiple TLS-RPT records or the rua value is missing,
the configuration should be fixed. A typical record looks like
v=TLSRPTv1; rua=mailto:tls-rpt@example.com.
Frequently asked questions
Does TLS-RPT replace MTA-STS?
No. TLS-RPT reports problems, while MTA-STS defines the actual TLS policy for receiving email.
Is TLS-RPT required?
No, but it is a recommended addition especially when the domain uses MTA-STS.
Where should reports be sent?
Reports should be sent to an address or service that is actually monitored. Otherwise reporting has little practical value.