Skip to main content
Protect your domain reputation today
contact@simpledmarc.comSupport
SimpleDMARC

Free TLS-RPT Record Checker

Ensure your domain is configured to receive TLS reports (SMTP TLS Reporting) to monitor email connection security.

What Is TLS-RPT?

SMTP TLS Reporting (TLS-RPT), defined in RFC 8460, is the reporting companion to MTA-STS and DANE. It instructs sending mail servers to send you reports about TLS negotiation successes and failures when delivering email to your domain. Without TLS-RPT, you have no visibility into whether encrypted delivery is working as intended — TLS failures are silent by default. Reports are delivered as JSON files containing details about certificate validation failures, MTA-STS policy fetch errors, DANE validation issues, and TLS handshake problems.

What Our Checker Validates

Our tool queries DNS for the TXT record at smtp.tls.yourdomain.com and validates the syntax. It checks that the v=TLSRPTv1 version tag is present, that at least one reporting URI (rua) is specified, and that each URI is correctly formatted — either a mailto: address for email delivery or an https: endpoint for JSON POST submission. The tool also flags missing records, extra whitespace, invalid characters, and incorrect DNS record placement.

Why TLS-RPT Matters for Your Security Posture

TLS-RPT provides the operational intelligence needed to maintain transport encryption. Without it, you cannot know if sending servers are failing to negotiate TLS with your MX hosts, which could mean emails are being delivered in plain text or failing to deliver entirely. This is especially important when deploying MTA-STS in enforce mode — TLS-RPT reports will immediately alert you to any legitimate senders that cannot negotiate TLS, allowing you to address the issue before it impacts email delivery.

Frequently Asked Questions

What is TLS-RPT?
TLS-RPT (SMTP TLS Reporting) is a protocol that allows domain owners to receive reports on email delivery failures caused by TLS issues.
How does TLS-RPT work?
It works alongside MTA-STS. When an email server encounters a TLS issue, it checks your TLS-RPT record to see where to send the failure report.
Why do I need TLS-RPT?
Without TLS-RPT, you might not know if legitimate emails are failing to be delivered due to encryption or certificate errors.
Where is the TLS-RPT record published?
Publish as a TXT record at _smtp._tls.yourdomain.com.
Can I use an email address or HTTPS endpoint for reports?
Both are supported. mailto: delivers JSON reports via email. https: submits reports via POST request to your endpoint. HTTPS is better for automated processing and high-volume domains.
How often are TLS-RPT reports sent?
Reports are typically sent daily by sending servers, covering a 24-hour period of delivery attempts to your domain.
Does TLS-RPT work without MTA-STS?
Yes. TLS-RPT reports on TLS negotiation outcomes regardless of whether MTA-STS is deployed. However, they are most valuable when used alongside MTA-STS or DANE.

More MTA-STS & TLS-RPT Tools

MTA-STS Checker

Test your MTA-STS policy for secure transport.

Try Tool

MTA-STS Generator

Generate MTA-STS policy files and DNS records.

Try Tool

TLS-RPT Generator

Create TLS reporting (TLS-RPT) DNS records.

Try Tool
View All Security Tools
Free TLS-RPT Record Checker | Validate TLS Reporting | SimpleDMARC