RFC 8460 overview
SMTP TLS Reporting (TLS-RPT), defined in RFC 8460, is a mechanism for receiving mail servers to request reports about TLS negotiation failures from sending mail servers. When a sender attempts to deliver mail to your MX servers and encounters a TLS problem -- an expired certificate, a cipher mismatch, or a policy violation -- the sender generates a structured report and delivers it to the address you specify in DNS.
TLS-RPT is the observability layer for two related standards:
- MTA-STS (RFC 8461) -- tells senders to require TLS when delivering to your domain, with a policy that specifies which MX hostnames are valid.
- DANE (RFC 7672) -- uses DNSSEC-signed TLSA records to pin the certificate that your MX servers should present.
Without TLS-RPT, you have no way to know when these policies cause delivery failures. A misconfigured MTA-STS policy or an expired TLSA record can silently reject legitimate mail. TLS-RPT closes this feedback loop.
What TLS-RPT reports contain
Reports are JSON documents (typically gzip-compressed when sent via email) that cover a 24-hour reporting period. Each report contains:
- Organization and contact -- the sending organization's name and contact information.
- Reporting period -- start and end timestamps (UTC) for the aggregation window.
- Policy applied -- which policy the sender evaluated: MTA-STS, DANE, or both. Includes the policy mode (testing, enforce) and the specific policy details.
- Success count -- number of TLS connections that succeeded under the policy.
- Failure count -- number of TLS connections that failed, broken down by failure type.
- Failure details -- for each failure type, the result type code, the sending MTA IP, the receiving MX hostname, and an optional additional-info field with diagnostic data.
Common failure result types include:
certificate-expired-- the MX server's TLS certificate has expired.certificate-not-trusted-- the certificate is not signed by a trusted CA.certificate-host-mismatch-- the certificate's SAN/CN does not match the MX hostname.starttls-not-supported-- the MX server does not advertise STARTTLS.validation-failure-- generic TLS validation failure.sts-policy-fetch-error-- the sender could not retrieve the MTA-STS policy file.sts-policy-invalid-- the MTA-STS policy file was malformed.sts-webpki-invalid-- the HTTPS certificate for the MTA-STS policy host was invalid.tlsa-invalid-- the DANE TLSA record was malformed or did not match the certificate.dnssec-invalid-- DNSSEC validation failed for the TLSA lookup.
DNS TXT record format
TLS-RPT is published as a TXT record at _smtp._tls.<domain>:
_smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=mailto:tlsrpt@example.com"The record has two components:
v=TLSRPTv1-- version identifier (required). Must be the first tag.rua=-- reporting URI for aggregate reports (required). Supports two schemes:mailto:-- reports are sent as email attachments (gzip-compressed JSON) to the specified address.https:-- reports are POSTed as JSON to the specified URL, which must respond with a 2xx status code.
You can specify multiple reporting URIs by separating them with commas:
_smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=mailto:tlsrpt@example.com,https://reporting.example.com/tlsrpt"Setting up a reporting endpoint
There are two approaches to receiving TLS-RPT reports:
Email-based reporting
The simplest approach: create a dedicated mailbox (e.g., tlsrpt@example.com) and point rua=mailto:tlsrpt@example.com at it. Reports arrive as email attachments containing gzip-compressed JSON files.
Considerations:
- Use a dedicated mailbox, not a human-readable inbox. Reports are machine-readable JSON, not human-friendly summaries.
- The mailbox should accept large attachments -- reports from high-volume senders can be substantial.
- You will need a parser or reporting service to extract and aggregate the data from the JSON files.
HTTPS-based reporting
More suitable for automated processing: deploy an HTTPS endpoint that accepts POST requests with JSON bodies. The endpoint URL goes into the rua= tag:
rua=https://reporting.example.com/v1/tlsrptYour endpoint must:
- Accept
POSTrequests withContent-Type: application/tlsrpt+gziporapplication/tlsrpt+json. - Return a
2xxstatus code on success. Senders may retry on transient failures but will eventually stop if the endpoint is persistently unreachable. - Serve a valid TLS certificate (the irony of a TLS reporting endpoint failing TLS is not lost on anyone).
Interpreting JSON report fields
A TLS-RPT JSON report follows this structure:
{
"organization-name": "Example Sender Inc.",
"date-range": {
"start-datetime": "2026-04-08T00:00:00Z",
"end-datetime": "2026-04-08T23:59:59Z"
},
"contact-info": "tlsrpt@sender.example.com",
"report-id": "2026-04-08T00:00:00Z_example.com",
"policies": [
{
"policy": {
"policy-type": "sts",
"policy-string": [
"version: STSv1",
"mode: enforce",
"mx: mail.example.com",
"max_age: 604800"
],
"policy-domain": "example.com"
},
"summary": {
"total-successful-session-count": 4523,
"total-failure-session-count": 12
},
"failure-details": [
{
"result-type": "certificate-expired",
"sending-mta-ip": "198.51.100.42",
"receiving-mx-hostname": "mail.example.com",
"receiving-ip": "203.0.113.10",
"failed-session-count": 8,
"additional-information": "Certificate expired 2026-04-07T12:00:00Z"
},
{
"result-type": "sts-webpki-invalid",
"sending-mta-ip": "198.51.100.43",
"receiving-mx-hostname": "mail.example.com",
"failed-session-count": 4,
"additional-information": "Unable to fetch MTA-STS policy: TLS handshake failed"
}
]
}
]
}Key fields to monitor:
total-failure-session-count-- if this is non-zero, some legitimate mail may be failing. Investigate the failure details.result-type-- identifies the category of failure. Certificate-related failures often indicate an expired or misconfigured cert on your MX server.receiving-mx-hostname-- tells you which of your MX servers had the problem.sending-mta-ip-- helps you identify which senders are affected. Reverse-DNS this IP to identify the organization.policy-type-- whether the failure was under MTA-STS (sts) or DANE (tlsa) policy evaluation.
Practical examples
Publishing a TLS-RPT DNS record
# DNS zone file entry
_smtp._tls.example.com. 3600 IN TXT "v=TLSRPTv1; rua=mailto:tlsrpt@example.com"
# Verify it's published
dig +short TXT _smtp._tls.example.com
# Expected: "v=TLSRPTv1; rua=mailto:tlsrpt@example.com"Decompressing an email-delivered report
Reports arrive as gzip-compressed JSON attachments. To read one:
# Extract and pretty-print a report
gunzip -c report.json.gz | python3 -m json.toolMonitoring workflow
A recommended deployment sequence:
- Deploy TLS-RPT first -- publish the
_smtp._tlsrecord before enforcing MTA-STS or DANE. This gives you visibility before policies start rejecting mail. - Deploy MTA-STS in testing mode -- set
mode: testingin the MTA-STS policy. Senders will evaluate the policy and report failures via TLS-RPT, but will not reject mail. - Monitor reports for 2-4 weeks -- look for
certificate-expired,certificate-host-mismatch, orsts-policy-fetch-errorresults. Fix any issues. - Switch to enforce mode -- once reports confirm clean delivery, change the MTA-STS policy to
mode: enforce. Continue monitoring TLS-RPT for regressions.
Common pitfalls
- Reporting address in a different domain -- if
rua=mailto:reports@other-domain.com, the other domain must publish a TLS-RPT authorization record or senders may refuse to send reports there. - Ignoring testing-mode reports -- MTA-STS testing mode still generates TLS-RPT reports. The whole point of testing mode is to catch issues before enforcement. Read the reports.
- Forgetting to renew MX certificates -- TLS-RPT will tell you when certificates expire, but only after senders start failing. Set up certificate monitoring independently.