TLS-RPT — SMTP TLS Reporting
Reporting mechanism for TLS failures during email delivery.
What is TLS-RPT
TLS-RPT (SMTP TLS Reporting) is a mechanism that lets you receive reports whenever a sending server fails to deliver email to you using encrypted TLS. It is the natural companion of MTA-STS: MTA-STS enforces TLS usage, while TLS-RPT tells you what is going wrong.
Example record
_smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=mailto:tls-reports@example.com"Fields:
v=TLSRPTv1— protocol versionrua=mailto:...orrua=https://...— where reports are sent
What a report contains
Reports are JSON files (gzip-compressed) sent daily. They contain:
- Statistics: how many sessions succeeded and how many failed
- Failure types:
starttls-not-supported,certificate-expired,certificate-host-mismatch,validation-failure, etc. - Sending MTAs that observed the problems
- Sample IPs that failed
Example payload
{
"organization-name": "Google Inc.",
"date-range": { "start-datetime": "2025-01-14T00:00:00Z", "end-datetime": "2025-01-14T23:59:59Z" },
"contact-info": "smtp-tls-reporting@google.com",
"policies": [{
"policy": { "policy-type": "sts", "policy-domain": "example.com" },
"summary": { "total-successful-session-count": 1024, "total-failure-session-count": 3 },
"failure-details": [...]
}]
}Why enable it
- Early detection of SSL/TLS issues on your mail servers.
- Confirmation that MTA-STS is working correctly (verifiable correctness).
- Diagnosis of hidden downgrade attacks or misconfigurations.
You don't need to process reports manually — there are tools that parse them and give you a dashboard view. To get started, send them to a dedicated mailbox and review them once a week.