TLS-RPT Record Generator

What is TLS-RPT?

SMTP TLS Reporting (TLS-RPT) is defined in RFC 8460. It enables domain owners to receive structured JSON reports about TLS connectivity problems experienced by sending mail servers. When a remote server encounters a TLS negotiation failure -- such as an expired certificate, hostname mismatch, or missing STARTTLS support -- it sends a report to the endpoints specified in your TLS-RPT DNS record.

Report Format

TLS-RPT reports are JSON documents that include details about the sending organization, the time range covered, the policy applied (MTA-STS or DANE), the result type (e.g., certificate-expired, starttls-not-supported), and counts of successful and failed sessions. Reports are typically sent daily and cover a 24-hour period.

Connection to MTA-STS and DANE

TLS-RPT is a companion protocol to both MTA-STS (RFC 8461) and DANE (RFC 7672). MTA-STS and DANE tell senders to enforce TLS; TLS-RPT provides the feedback loop for when enforcement fails. Deploying TLS-RPT alongside MTA-STS or DANE gives you full visibility into TLS delivery problems. Even without MTA-STS or DANE, TLS-RPT reports on opportunistic STARTTLS failures.

Record Format

For a complete guide to TLS-RPT configuration and deployment, see the TLS-RPT learn page.

Read the complete TLS-RPT guide to learn more.