Free TLS-RPT Checker
Enter any domain below to check whether a TLS-RPT (SMTP TLS Reporting) record is published. We verify the DNS TXT record at _smtp._tls and parse the reporting destinations.
New to TLS-RPT? Read our MTA-STS and TLS-RPT Explained guide for a full explanation.
What Is TLS-RPT?
TLS-RPT (RFC 8460) allows domain owners to receive reports about TLS negotiation failures from sending mail servers. When a sender tries to deliver email to your domain and encounters a TLS problem (expired certificate, wrong hostname, failed MTA-STS validation), they can send a structured JSON report to the address specified in your TLS-RPT record.
Why Should You Enable TLS-RPT?
- Visibility: Without TLS-RPT, you have no way of knowing when senders fail to establish a secure connection to your mail servers.
- MTA-STS Companion: TLS-RPT is designed to work alongside MTA-STS. If you enforce TLS via MTA-STS, TLS-RPT tells you when enforcement causes delivery failures.
- Certificate Monitoring: TLS-RPT reports can alert you to certificate issues on your MX servers before they cause widespread delivery problems.
- Simple to Deploy: A single DNS TXT record is all you need. No server-side changes required.
How This Tool Works
We query the DNS TXT record at _smtp._tls.yourdomain.com and parse the v=TLSRPTv1 record to extract the reporting destinations (rua). Results are instant and completely free.
How to Set Up TLS-RPT
Setting up TLS-RPT requires a single DNS TXT record. Create a record at _smtp._tls.yourdomain.com with the value:
Replace the email address with wherever you want to receive reports. You can also use an HTTPS endpoint instead of mailto: if you want to process reports programmatically. Reports are sent as JSON (RFC 8460) and typically arrive daily.
What Do TLS-RPT Reports Contain?
- Policy type: Whether the failure was against MTA-STS, DANE, or no policy.
- Failure details: The specific TLS error (certificate expired, hostname mismatch, handshake failure, etc.).
- Sending MTA: The IP address and hostname of the server that attempted delivery.
- Receiving MX: Which of your MX servers was involved in the failure.
- Count: How many sessions experienced this failure during the reporting period.
Need Automated Monitoring?
This free tool is great for one-off checks. If you need continuous monitoring across all your domains, join the early access list for up to 90 days free.
Want the full picture?
Our Security Grade checks TLS-RPT alongside MTA-STS, DMARC, SPF, DNSSEC, CAA, SSL, and domain registration in one scan.
Frequently Asked Questions
Do I need MTA-STS to use TLS-RPT?
No, TLS-RPT works independently. However, they are designed as companions. TLS-RPT without MTA-STS will still report on opportunistic TLS failures, but adding MTA-STS gives you enforcement and makes the reports more actionable.
How often are TLS-RPT reports sent?
RFC 8460 recommends daily reporting. Most major email providers (Google, Microsoft, Yahoo) send reports once every 24 hours, though the exact timing varies.
Will TLS-RPT reports flood my inbox?
For most domains, you will receive one report per sending provider per day. High-volume domains may receive more. Consider using a dedicated mailbox or an HTTPS reporting endpoint to handle volume.
Does TLS-RPT affect my Security Grade?
Yes. TLS-RPT is a check in the Security Grade framework. Publishing a TLS-RPT record is one of the requirements for reaching a strong Security Grade.