TLS-RPT Lookup & Validator
Enter a domain to fetch its SMTP TLS Reporting (TLS-RPT) record from _smtp._tls.<domain>. The tool validates the version and the rua reporting destinations against RFC 8460.
What is TLS-RPT?
TLS-RPT (SMTP TLS Reporting), defined in RFC 8460, is a standard that lets a domain receive daily reports about TLS connection problems for inbound mail. Sending servers email a JSON report summarising successful and failed TLS negotiations, so you can detect misconfiguration, expired certificates, or downgrade attacks affecting your mail.
How does TLS-RPT work?
TLS-RPT relies on a single DNS TXT record that names where reports should be sent. Sending mail servers that support the standard generate aggregate reports and deliver them to those destinations.
- Discovery - the record is published at
_smtp._tls.<domain>. - Version - it must begin with
v=TLSRPTv1. - Reporting URI - the required
rua=tag lists one or more destinations. - Destination types - each destination is either a
mailto:address or anhttps:endpoint. - Aggregation - reports are typically sent once per day as a compressed JSON document.
How do I read a TLS-RPT record?
A TLS-RPT record is a short, two-tag string. The version identifies the standard and the rua tag lists comma-separated reporting destinations.
v=TLSRPTv1- the mandatory version; it must be exactly this value.rua=mailto:[email protected]- sends reports to an email address.rua=https://reports.example.com/tlsrpt- posts reports to an HTTPS endpoint.- Multiple destinations are separated by commas, for example
rua=mailto:[email protected],mailto:[email protected].
Why should I enable TLS-RPT alongside MTA-STS?
MTA-STS enforces TLS, but on its own it gives you no visibility when a sender cannot meet the policy. TLS-RPT is the feedback channel: it reports the failures so you can safely move an MTA-STS policy from testing to enforce without silently losing legitimate mail.
Frequently asked questions
Is TLS-RPT required?
It is optional but recommended, especially if you deploy MTA-STS or DANE. Without TLS-RPT you have no automated insight into TLS delivery failures affecting your inbound mail.
What format are TLS-RPT reports?
Reports are JSON documents, usually gzip-compressed, summarising the count of successful and failed TLS sessions and the failure types observed during the reporting period.
Can I send reports to more than one place?
Yes. List multiple destinations in the rua tag separated by commas. Each may be a mailto: address or an https: endpoint.
Does TLS-RPT depend on DMARC?
No. TLS-RPT reports on transport encryption (STARTTLS/TLS), which is independent of DMARC, SPF, and DKIM. The two solve different problems and can be deployed separately.
How this tool works: This tool runs in your browser and on our server in real time. Depending on the tool, results are computed directly from the input you provide or retrieved from live, authoritative data sources at the moment you run a lookup. We do not sell your data, and your lookups are kept private — any history shown here is stored only on your device.