Free TLS-RPT Checker
Enter any domain below to check whether a TLS-RPT (SMTP TLS Reporting) record is published. We verify the DNS TXT record at _smtp._tls and parse the reporting destinations.
New to TLS-RPT? Read our MTA-STS and TLS-RPT Explained guide for a full explanation.
What is TLS-RPT?
TLS-RPT (RFC 8460) allows domain owners to receive reports about TLS negotiation failures from sending mail servers. When a sender tries to deliver email to your domain and encounters a TLS problem (expired certificate, wrong hostname, failed MTA-STS validation), they can send a structured JSON report to the address specified in your TLS-RPT record.
Why Should You Enable TLS-RPT?
- Visibility: Without TLS-RPT, you have no way of knowing when senders fail to establish a secure connection to your mail servers.
- MTA-STS Companion: TLS-RPT is designed to work alongside MTA-STS. If you enforce TLS via MTA-STS, TLS-RPT tells you when enforcement causes delivery failures.
- Certificate Monitoring: TLS-RPT reports can alert you to certificate issues on your MX servers before they cause widespread delivery problems.
- Simple to Deploy: A single DNS TXT record is all you need. No server-side changes required.
How This Tool Works
We query the DNS TXT record at _smtp._tls.yourdomain.com and parse the v=TLSRPTv1 record to extract the reporting destinations (rua). Results are instant and completely free.
How to Set Up TLS-RPT
Setting up TLS-RPT requires a single DNS TXT record. Create a record at _smtp._tls.yourdomain.com with the value:
Replace the email address with wherever you want to receive reports. You can also use an HTTPS endpoint instead of mailto: if you want to process reports programmatically. Reports are sent as JSON (RFC 8460) and typically arrive daily.
What Do TLS-RPT Reports Contain?
- Policy type: Whether the failure was against MTA-STS, DANE, or no policy.
- Failure details: The specific TLS error (certificate expired, hostname mismatch, handshake failure, etc.).
- Sending MTA: The IP address and hostname of the server that attempted delivery.
- Receiving MX: Which of your MX servers was involved in the failure.
- Count: How many sessions experienced this failure during the reporting period.
Need Automated Monitoring?
This free tool is great for one-off checks. If you need continuous monitoring across all your domains, start a free trial for up to 90 days free.
Want the full picture?
Our Security Grade checks TLS-RPT alongside MTA-STS, DMARC, SPF, DNSSEC, CAA, SSL, and domain registration in one scan.
Frequently Asked Questions
Do I need MTA-STS to use TLS-RPT?
No, TLS-RPT works independently. However, they are designed as companions. TLS-RPT without MTA-STS will still report on opportunistic TLS failures, but adding MTA-STS gives you enforcement and makes the reports more actionable.
How often are TLS-RPT reports sent?
RFC 8460 recommends daily reporting. Most major email providers (Google, Microsoft, Yahoo) send reports once every 24 hours, though the exact timing varies.
Will TLS-RPT reports flood my inbox?
For most domains, you will receive one report per sending provider per day. High-volume domains may receive more. Consider using a dedicated mailbox or an HTTPS reporting endpoint to handle volume.
Does TLS-RPT affect my Security Grade?
Yes. TLS-RPT is a check in the Security Grade framework. Publishing a TLS-RPT record is one of the requirements for reaching a strong Security Grade.