TLS-RPT Checker
Look up and parse a domain's SMTP TLS Reporting (TLS-RPT) record at _smtp._tls.<domain>.
Monitor this automatically
NetTests can run this check on a schedule, preserve historical results, compare changes over time, and alert you the moment something breaks.
Start monitoring free → See all monitoring productsFrequently Asked Questions
What is TLS-RPT (SMTP TLS Reporting)?
TLS-RPT (RFC 8460) allows receiving mail servers to send aggregate reports to the domain owner about TLS connection failures. If a sending server can't establish a TLS connection to your mail server (e.g. due to MTA-STS policy violation or certificate error), it sends a JSON report to the address in your TLS-RPT record. This visibility helps you detect and fix email delivery failures before they impact users.
What does the TLS-RPT DNS record look like?
Published as a TXT record at _smtp._tls.example.com: v=TLSRPTv1; rua=mailto:tlsrpt@example.com. The rua field accepts one or more report destinations (mailto: or https: URIs). Reports are sent daily in gzip-compressed JSON format.
Do I need MTA-STS to use TLS-RPT?
TLS-RPT works independently but is most useful alongside MTA-STS or DANE. Without a TLS enforcement policy, most senders don't report TLS failures because they fall back to unencrypted delivery. With MTA-STS enforcing TLS, any sender that can't connect securely will report the failure via TLS-RPT.