TLS-RPT Reports

TLS-RPT (TLS Reporting, RFC 8460) provides visibility into the security of email connections to your domain. When other mail servers send email to you, TLS-RPT reports tell you whether those connections used encryption (TLS) successfully.

Why TLS-RPT Matters

  • Verify encryption — Confirm that email to your domain is encrypted in transit
  • Detect failures — Identify TLS negotiation problems that could expose email to interception
  • MTA-STS compliance — Monitor whether your MTA-STS policy is being enforced

Viewing TLS Reports

Navigate to DMARC → TLS-RPT. The dashboard shows:

  • Successful connections — Encrypted email connections that worked
  • Failed connections — TLS negotiations that failed (with reasons)
  • 30-day summary — Aggregate success rate and trend

Common Failure Reasons

  • Certificate expired — Your mail server's TLS certificate needs renewal
  • Certificate mismatch — The certificate doesn't match your domain name
  • Policy violation — The connection didn't meet your MTA-STS policy requirements
  • STARTTLS not supported — The sending server doesn't support encryption

Setting Up TLS-RPT

To receive TLS reports, add a DNS record at _smtp._tls.yourdomain.com:

v=TLSRPTv1; rua=mailto:[email protected]

Use the TLS-RPT Checker tool to validate your configuration.

Your domain is being tested right now.
Are you watching?

Protect your brand and improve deliverability — automatically, with continuous monitoring and alerts.

Start Free — No Credit Card View Pricing →