Free Tool

TLS-RPT Record Generator

TLS failure reports only arrive if your reporting address is valid and actively monitored. Most teams set it and never check it. Generate your record and set up actual monitoring.

Your domain

Report delivery email (mailto:)

Primary email address to receive TLS failure reports.

Additional email (optional)

Second email address for redundant report delivery.

HTTPS reporting endpoint (optional)

HTTPS URL to receive reports via POST. Used by automated monitoring services.

DNS Record Name

_smtp._tls.yourdomain.com

TXT

Record Value

v=TLSRPTv1; rua=mailto:tls-reports@yourdomain.com

How to publish this record

Log in to your DNS provider
Create a new TXT record
Set the Name/Host to _smtp._tls
Paste the record value above into the Value/Content field
Save and wait for DNS propagation (usually a few minutes to 48 hours)
Consider also setting up MTA-STS to enforce TLS for incoming email

Setting Up TLS-RPT

What is TLS-RPT?

SMTP TLS Reporting (TLS-RPT) is a standard that lets you receive reports when sending servers encounter TLS failures delivering email to your domain. It works alongside MTA-STS to give you visibility into email transport security.

How do I configure reporting?

Publish a TXT record at _smtp._tls.yourdomain.com with a rua= tag specifying where reports should be sent. You can use mailto: for email delivery, https: for HTTP POST delivery, or both for redundancy.

What will the reports tell me?

TLS-RPT reports are JSON documents sent daily by sending mail servers. They include details about TLS negotiation failures: certificate errors, expired certificates, MTA-STS policy failures, and connection counts.

Should I use TLS-RPT with MTA-STS?

Yes. MTA-STS enforces TLS for incoming email, and TLS-RPT tells you when that enforcement causes delivery failures. Without TLS-RPT, you won't know if your MTA-STS policy is silently blocking legitimate email.

Related Free Tools

TLS-RPT Checker → MTA-STS Generator → DMARC Generator → Deliverability Check →

Why We Built This Tool

Most teams publish TLS-RPT records and never read the reports. Mailbox quotas fill up, reporting endpoints go offline, or reports are dismissed as noise. Without monitoring, TLS failures remain invisible — email degrades from encrypted to unencrypted without detection.

What Goes Wrong Without This

TLS-RPT reports are JSON documents that need parsing. Teams don't have SIEM integration or automated parsing, so reports pile up unread. Encryption failures go undetected for weeks, and by then unencrypted email has accumulated.

Who This Tool Is For

E-commerce & DTC Brands

Set up TLS reporting for your domain to catch certificate expiry and encryption failures before they impact customer email delivery.

Email Marketing Agencies

Generate standardized TLS-RPT records for client domains. Set up redundant reporting (mailto + HTTPS) and automate report parsing to detect shared infrastructure issues.

B2B SaaS & Outbound Teams

Configure TLS reporting for transactional and outbound email domains. Parse reports to detect encryption failures and sync with your TLS-based access controls.

Frequently Asked Questions

What's the difference between mailto and HTTPS reporting?

mailto: sends reports via email to a specified address (good for manual review, but manual). HTTPS sends reports as POST requests to your endpoint (better for automated monitoring and integration with SIEM/analytics systems). Use both for redundancy.

How often will I receive TLS-RPT reports?

Sending servers send TLS-RPT reports daily, aggregating all TLS failures encountered during the 24-hour period. Reports contain JSON documents with detailed failure information, sent by all external mail servers that encountered issues with your domain.

What should I do when I receive TLS-RPT reports?

Parse the JSON to identify failure patterns: certificate errors mean your cert is expiring or invalid, policy failures mean MTA-STS policy is rejecting legitimate senders, connection failures mean network issues. Most TLS-RPT failures can be diagnosed with an MTA-STS Checker tool.

Do I need an InboxEagle account to use this tool?

No. This tool is completely free and requires no account or sign-up. InboxEagle provides it as a standalone resource for email marketers, developers, and agencies.

Configure Reporting. Then Actually Read the Reports.

Stop running manual checks. InboxEagle monitors your sender reputation, authentication, and blacklist status 24/7 — and alerts you the moment something breaks.

Start Free 14-Day Trial

No credit card required · Cancel anytime