TLS-RPT, or SMTP TLS Reporting, is a standard that allows domain owners to receive reports about the success or failure of encrypted email delivery using TLS. It provides visibility into whether emails sent to a domain are successfully delivered over secure connections or if issues such as certificate errors, handshake failures, or policy conflicts occur during transmission.
TLS-RPT works by publishing a DNS TXT record at _smtp._tls.domain.com, which specifies a reporting endpoint. When sending mail servers encounter TLS-related issues while delivering messages, they generate aggregated reports and send them to the configured address. These reports help organisations understand how their email infrastructure performs from an encryption and transport security perspective.
This protocol is commonly implemented alongside MTA-STS. While MTA-STS enforces secure delivery requirements, TLS-RPT provides the monitoring layer needed to identify failures, misconfigurations, and potential security risks. Together, they form a feedback and enforcement loop for transport layer security in email systems.
Advanced
TLS-RPT reports are delivered in JSON format and typically summarised over a defined reporting period, often 24 hours. The DNS record includes the rua tag, which defines where reports should be sent. These reports contain detailed information such as sending IP addresses, receiving MX hosts, connection attempts, and specific TLS failure reasons.
Failure types may include certificate validation errors, expired certificates, unsupported TLS versions, or mismatches with MTA-STS policies. Large scale environments often integrate TLS-RPT with log aggregation or security monitoring platforms to automate analysis and alerting.
Effective use of TLS-RPT requires consistent parsing and review of incoming reports. Without analysis, the data provides little value. Organisations should align TLS-RPT insights with certificate management, mail server configuration, and MTA-STS enforcement strategies to ensure secure and reliable email delivery.
Relevance
- Provides visibility into encrypted email delivery performance
- Identifies TLS failures and misconfigurations
- Supports monitoring of MTA-STS enforcement
- Strengthens overall email transport security
Applications
- Monitoring TLS success and failure rates across inbound email
- Detecting certificate and encryption issues
- Validating secure email delivery policies
- Integrating with security monitoring and reporting systems
Metrics
- TLS success versus failure rates
- Volume and type of TLS-related errors
- Certificate validation failure frequency
- MTA-STS compliance and enforcement rates
Issues
- Lack of implementation resulting in no visibility
- Misconfigured reporting address causing lost reports
- Difficulty analysing JSON reports without tooling
- Ignoring reports allowing ongoing security gaps
Example
An organisation enables MTA-STS in enforce mode and configures TLS-RPT reporting. Over time, it receives reports indicating that some external mail servers fail TLS validation due to outdated certificates. Using this data, the organisation identifies affected systems and ensures compatibility, improving secure delivery rates.