MailShield

Free TLS-RPT Checker

Verify your domain's TLS-RPT configuration in seconds. Check DNS records, reporting destinations, and STARTTLS support — all in one scan.

Free, no account required. Enter any domain to get started.

What is TLS-RPT?

TLS-RPT (SMTP TLS Reporting) is an email security standard defined in RFC 8460. It provides a mechanism for mail servers to report failures in TLS negotiation back to domain owners. Without TLS-RPT, you have no visibility into whether senders can actually establish encrypted connections with your mail servers.

When a sending server tries to deliver email to your domain and encounters a TLS problem — an expired certificate, a failed STARTTLS upgrade, or a policy violation — TLS-RPT ensures you hear about it. Reports are delivered as JSON files, typically once per day, to a destination you specify in your DNS.

The protocol works through a single DNS TXT record at _smtp._tls.yourdomain.com that specifies where reports should be sent using a rua= tag. This can be a mailto: address for email delivery or an https: endpoint for automated processing.

TLS-RPT is designed to work alongside MTA-STS and DANE. While MTA-STS and DANE enforce encryption policies, TLS-RPT gives you the feedback loop to know whether those policies are working as intended across all senders.

What this checker verifies

Our TLS-RPT checker performs a comprehensive scan of your domain's configuration and reports issues with clear explanations.

DNS Record Validation

Verifies that your _smtp._tls TXT record exists, is correctly formatted, and contains a valid v=TLSRPTv1 version tag.

Reporting Destination

Checks that the rua= tag points to a valid reporting destination (mailto: or https: URI) where TLS failure reports will be delivered.

STARTTLS Support

Connects to your MX servers and verifies that they support STARTTLS, which is the encryption mechanism that TLS-RPT monitors.

MTA-STS Alignment

Checks whether your domain also has an MTA-STS policy. TLS-RPT works best alongside MTA-STS, providing visibility into encryption enforcement.

How to set up TLS-RPT

TLS-RPT only requires a single DNS record. It is one of the simplest email security protocols to deploy.

1

Create the DNS TXT record

Publish a TXT record at _smtp._tls.yourdomain.com with the value "v=TLSRPTv1; rua=mailto:tls-reports@yourdomain.com" to start receiving reports.

2

Choose your reporting destination

Reports can be sent via email (mailto: URI) or HTTPS POST (https: URI). Email is simplest to set up. For automated processing, use an HTTPS endpoint.

3

Set up MTA-STS alongside TLS-RPT

TLS-RPT reports are most useful when paired with MTA-STS. Without an MTA-STS policy, senders have nothing to report against since encryption is only opportunistic.

4

Monitor incoming reports

TLS-RPT reports arrive as JSON files, typically daily. They detail successful and failed TLS negotiations, helping you identify delivery problems before they affect users.

Why use MailShield for TLS-RPT?

TLS-RPT reports are JSON files that arrive daily from every major email provider. Manually parsing these reports across multiple domains quickly becomes unmanageable. MailShield processes your TLS-RPT reports automatically and surfaces the data that matters.

When you add a domain to MailShield, we provide a managed reporting address. Just point your TLS-RPT rua= tag at it, and MailShield handles ingestion, parsing, and alerting automatically.

  • Automatic TLS-RPT report ingestion and parsing
  • Clear dashboard showing TLS success rates across all senders
  • Alerts when TLS negotiation failures spike
  • Combined view with MTA-STS policy status for full encryption coverage
  • Historical tracking to spot trends and regressions
  • Manage TLS-RPT across all your domains from a single dashboard

Monitor your email encryption

Get automated TLS-RPT processing, continuous monitoring, and complete email security coverage. Free plan includes 2 domains with all protocol checks.

Get Started FreeView All Features