TLS-RPT Report Analyzer
Upload and analyze TLS-RPT JSON reports in your browser. Visualize TLS negotiation successes, failures, and policy compliance — no data leaves your device.
Drag & drop a TLS-RPT JSON report here
Supports .json files (RFC 8460 format)
What Are TLS-RPT Reports?
TLS-RPT (SMTP TLS Reporting) is defined in RFC 8460. It provides a mechanism for receiving mail servers to report back on TLS negotiation successes and failures during SMTP delivery. These JSON reports are sent to the address specified in your _smtp._tls.<domain> DNS TXT record.
TLS-RPT works hand-in-hand with MTA-STS (RFC 8461) and DANE (RFC 7672). While MTA-STS and DANE enforce TLS requirements, TLS-RPT gives you visibility into whether those policies are working correctly or causing delivery failures.
Report Format (RFC 8460)
TLS-RPT reports are JSON documents containing metadata about the reporting organization, the time period covered, and one or more policy entries. Each policy entry includes session counts (successful and failed) and, when failures occur, detailed information about the failure type, the sending MTA, and the receiving MX host.
| Section | Key Fields | Purpose |
|---|---|---|
| Metadata | organization-name, date-range, report-id | Identifies the reporter and the time window. |
| Policy | policy-type, policy-domain, mx-host | Which TLS policy was evaluated (sts, tlsa, or no-policy-found). |
| Summary | total-successful-session-count, total-failure-session-count | Aggregate counts for that policy evaluation period. |
| Failure Details | result-type, sending-mta-ip, receiving-mx-hostname | Per-failure breakdown with specific error types. |
Common Failure Types
| Result Type | Meaning |
|---|---|
starttls-not-supported | The receiving MX does not support STARTTLS at all. |
certificate-expired | The TLS certificate on the receiving MX has expired. |
certificate-not-trusted | The certificate is not signed by a trusted CA. |
certificate-host-mismatch | The certificate does not match the MX hostname. |
sts-policy-invalid | The MTA-STS policy file is malformed or unreachable. |
tlsa-invalid | The TLSA DNS record for DANE is invalid. |
dnssec-invalid | DNSSEC validation failed for the receiving domain. |
Connection to MTA-STS and DANE
TLS-RPT reports are most useful when paired with MTA-STS or DANE. With MTA-STS in testing mode, TLS-RPT reports let you monitor for certificate and TLS issues before switching to enforce mode. With DANE, the reports reveal whether TLSA records are correctly published and validated. Without TLS-RPT, you would have no visibility into TLS failures happening during email delivery to your domain.
Read the complete TLS-RPT guide to learn more.
Get the full picture with DMARCguard
Continuous monitoring, aggregate report parsing, and actionable insights for all your email authentication protocols.
Start Free