TLS-RPT
TLS-RPT reports on mail encryption success and failure. Learn how TLS-RPT works with MTA-STS and how DMARCeye helps monitor secure email delivery.
What is TLS-RPT?
TLS-RPT (SMTP TLS Reporting) is an email security standard that enables domain owners to receive reports about Transport Layer Security (TLS) issues occurring during mail delivery.
Defined in RFC 8460, TLS-RPT works alongside MTA-STS (Mail Transfer Agent Strict Transport Security) to help organizations monitor and troubleshoot encrypted email connections. While MTA-STS enforces TLS encryption between mail servers, TLS-RPT provides the visibility, reporting whether those connections succeeded, failed, or were downgraded.
A typical TLS-RPT DNS record looks like this:
_dmarc.example.com. IN TXT "v=TLSRPTv1; rua=mailto:tlsrpt@example.com"This record tells receiving servers where to send daily reports about TLS connectivity results for your domain.
How TLS-RPT Works
When a mail server attempts to deliver a message to your domain, it tries to establish a secure TLS connection. The sending server checks for your MTA-STS policy and then reports back on whether the encrypted connection succeeded or failed.
TLS-RPT collects this data and sends JSON-formatted aggregate reports (usually daily) to the address specified in your DNS record via the rua tag.
Each report typically includes:
- The reporting server’s domain and organization
- Success and failure counts
- Error types (e.g., certificate mismatch, unsupported TLS version, STARTTLS downgrade)
- The time window of reported events
These reports allow administrators to detect encryption problems, misconfigurations, and malicious activity that might be preventing secure mail delivery.
Why TLS-RPT Is Important for Secure Mail Transport
Without TLS-RPT, an organization might never know if messages are being transmitted unencrypted, intercepted, or rejected because of certificate issues.
Implementing TLS-RPT helps you:
- Verify encryption coverage for all inbound and outbound mail.
- Identify configuration errors in MTA-STS or mail server certificates.
- Detect downgrade attacks, where attackers attempt to strip TLS from SMTP connections.
- Maintain compliance with data protection regulations requiring encrypted communications.
In combination with MTA-STS, TLS-RPT provides both policy enforcement and visibility, helping ensure that sensitive data stays protected in transit.
TLS-RPT and DMARCeye
DMARCeye extends visibility beyond authentication to include transport security by monitoring related DNS records like TLS-RPT and MTA-STS.
Through its domain reporting interface, DMARCeye helps you confirm that your TLS-RPT configuration is valid, your reports are being received, and that no systemic TLS issues are affecting your email infrastructure.
By combining authentication insights (from DMARC) and transport-layer reporting (from TLS-RPT), DMARCeye gives organizations a full view of both who is sending email on their behalf and how securely those messages are being delivered.
Sign up for a free trial of DMARCeye today and secure your email domain.
To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.