Build a TLS-Reporting DNS record (RFC 8460) for reporting TLS errors on inbound mail.
What is this, and when do I need it?
What is this?
TLS-RPT (Transport Layer Security Reporting, RFC 8460) is the reporting half of MTA-STS and
DANE. Sending mail servers ship you a daily summary of how many SMTP connections to your
mail servers actually used transport encryption and how many failed.
Without TLS-RPT, connection failures stay invisible - an expired cert chain on your MX, a
broken MTA-STS record, an outdated TLS version: all of it only surfaces when customers
report mail not arriving.
When do I need it?
Useful for anyone running MTA-STS or DANE - there, TLS-RPT is the only source of failure
statistics. Cost: one DNS TXT record, then the reporting pipeline runs automatically.
Recommendation: send the reports to a Mailcheck mailbox - they get parsed and
you see drifts (cert rotation, MX changes) as plain alerts instead of XML attachments in your
inbox.
TLS-RPT is the observability layer over MTA-STS and DANE. Without TLS-RPT you can see that
mail arrives or doesn't, but not why: TLS mismatch? Expired cert? STARTTLS failure? The daily
reports include error codes per receiving MTA and per failed hop.
Rollout sequence: TLS-RPT first (in "listen" mode), then MTA-STS in testing, then enforce. That way you see problems before the senders,
whose MTAs would otherwise get reject answers.
Privacy note: aggregate reports contain sender domains, MX hosts and error codes
- no mail content, no individual mail addresses. GDPR impact is small but worth checking before
picking a third-party reporting endpoint.
Inspect an existing TLS-RPT record
Reads <code>_smtp._tls.<domain></code> and validates <code>v=TLSRPTv1</code> plus rua endpoints against RFC 8460.
Try with:
Server path: this inspection does NOT run browser-local. We fetch the DNS record or HTTPS response via our server. We do not log the queried domain or the result. 12 requests per minute per IPv4 address or IPv6 /64 subnet.
How to add this record at your DNS provider
The record generated above has three parts: the record type (typically TXT,
occasionally CAA), the host (a subdomain like _dmarc, _smtp._tls or empty for the root domain) and the value (the actual
payload in quotes). Every DNS provider asks for these same three fields - only the menu wording
differs.
Button Add record → pick a type, enter the name (use @ for the
root domain), paste the value.
Save. Propagation typically under 5 minutes.
IONOS (1&1)
Sign in to the IONOS customer center.
Menu Domains & SSL → click the domain → DNS.
Button Eintrag hinzufügen → pick a type, enter the host, paste the value into
the content field.
Save. Propagation typically 15-60 minutes.
Cloudflare
Sign in to Cloudflare, pick the domain.
Tab DNS → Records.
Button Add record → pick a type, enter the name (use @ for
the root domain), paste the value, leave proxy status on DNS only for TXT/CAA records.
Save. Propagation typically under 2 minutes.
Note: If your DNS provider is not listed, you usually find the right place under headings like
"DNS management", "Zone editor", or "Records". When in doubt, your provider's support helps;
the paths shown here are vendor-specific and can shift slightly with redesigns.