TLS-RPT generator

Per RFC 8460

Build a TLS-Reporting DNS record (RFC 8460) for reporting TLS errors on inbound mail.

What is this, and when do I need it?

What is this?

TLS-RPT (Transport Layer Security Reporting, RFC 8460) is the reporting half of MTA-STS and DANE. Sending mail servers ship you a daily summary of how many SMTP connections to your mail servers actually used transport encryption and how many failed.

Without TLS-RPT, connection failures stay invisible - an expired cert chain on your MX, a broken MTA-STS record, an outdated TLS version: all of it only surfaces when customers report mail not arriving.

When do I need it?

Useful for anyone running MTA-STS or DANE - there, TLS-RPT is the only source of failure statistics. Cost: one DNS TXT record, then the reporting pipeline runs automatically.

Recommendation: send the reports to a Mailcheck mailbox - they get parsed and you see drifts (cert rotation, MX changes) as plain alerts instead of XML attachments in your inbox.

Reporting endpoints
Receiving MTAs (Gmail, Outlook, etc.) send daily aggregated JSON reports about TLS successes and failures to the endpoints listed here. Multiple endpoints are allowed; the receiver picks one. mailto: is enough for most setups; https: requires a POST endpoint that accepts the RFC 7493 JSON format.
DNS TXT record at _smtp._tls.<domain> per RFC 8460
_smtp._tls.example.com.	TXT	"v=TLSRPTv1; rua=mailto:tlsrpt@example.com"

Kostenlos, ohne Gewähr (Best-Effort). Erzeugte wie geprüfte Angaben sind unverbindlich; für fehlerhafte oder unvollständige Ergebnisse und Konfigurationen übernehmen wir keine Haftung. Anwendung und Prüfung erfolgen in eigener Verantwortung, vor dem Produktiveinsatz bitte testen.

Free, no warranty (best effort). Generated and inspected values are non-binding; we accept no liability for erroneous or incomplete results or configurations. Use and verification are your own responsibility; please test before production use.

Interplay with MTA-STS and DANE

TLS-RPT is the observability layer over MTA-STS and DANE. Without TLS-RPT you can see that mail arrives or doesn't, but not why: TLS mismatch? Expired cert? STARTTLS failure? The daily reports include error codes per receiving MTA and per failed hop.

Rollout sequence: TLS-RPT first (in "listen" mode), then MTA-STS in testing, then enforce. That way you see problems before the senders, whose MTAs would otherwise get reject answers.

Privacy note: aggregate reports contain sender domains, MX hosts and error codes - no mail content, no individual mail addresses. GDPR impact is small but worth checking before picking a third-party reporting endpoint.

Inspect an existing TLS-RPT record

Reads <code>_smtp._tls.&lt;domain&gt;</code> and validates <code>v=TLSRPTv1</code> plus rua endpoints against RFC 8460.

Try with:

Server path: this inspection does NOT run browser-local. We fetch the DNS record or HTTPS response via our server. We do not log the queried domain or the result. 12 requests per minute per IPv4 address or IPv6 /64 subnet.

How to add this record at your DNS provider

The record generated above has three parts: the record type (typically TXT, occasionally CAA), the host (a subdomain like _dmarc, _smtp._tls or empty for the root domain) and the value (the actual payload in quotes). Every DNS provider asks for these same three fields - only the menu wording differs.

INWX (Dernium default for new customers)
  1. Sign in at www.inwx.de.
  2. Tab Nameserver → pick the domain → Nameserver-Sets verwaltenDNS-Einträge.
  3. Button Neuen Eintrag anlegen.
  4. Pick a type (e.g. TXT), enter the host (empty for the root domain, otherwise e.g. _dmarc), paste the value, leave TTL at 3600.
  5. Save. Propagation typically within 5-15 minutes.
Strato
  1. Sign in to the Strato customer area.
  2. Menu Domains → pick the domain → Verwalten.
  3. Section DNS-VerwaltungNameserver/DNS-Einstellungen anpassen.
  4. Under Eigene DNS-Verwaltung pick the right record type (TXT records have their own block), enter host and value.
  5. Save. Strato typically propagates within 30-60 minutes.
Hetzner DNS Console
  1. Sign in at dns.hetzner.com.
  2. Click on the zone of your domain.
  3. Button Add record → pick a type, enter the name (use @ for the root domain), paste the value.
  4. Save. Propagation typically under 5 minutes.
IONOS (1&1)
  1. Sign in to the IONOS customer center.
  2. Menu Domains & SSL → click the domain → DNS.
  3. Button Eintrag hinzufügen → pick a type, enter the host, paste the value into the content field.
  4. Save. Propagation typically 15-60 minutes.
Cloudflare
  1. Sign in to Cloudflare, pick the domain.
  2. Tab DNSRecords.
  3. Button Add record → pick a type, enter the name (use @ for the root domain), paste the value, leave proxy status on DNS only for TXT/CAA records.
  4. Save. Propagation typically under 2 minutes.

Note: If your DNS provider is not listed, you usually find the right place under headings like "DNS management", "Zone editor", or "Records". When in doubt, your provider's support helps; the paths shown here are vendor-specific and can shift slightly with redesigns.