Deliverability.Email: Advanced Email Deliverability Audit & Troubleshooting Tools

TLS-RPT Record Generator

Generate RFC 8460 compliant TLS-RPT records for email security reporting

Record Length:0/255

Endpoints:0

Step 1 of 4

Domain Configuration

Domain Information

Domain *Enter the domain that will send emails and receive TLS failure reports

Enable TLS reporting for this domain?

If disabled, no TLS-RPT record will be generated

What is TLS-RPT?

TLS-RPT (Transport Layer Security Reporting) allows sending email servers to share statistics about potential TLS failures with your domain, helping you monitor email security.

The TLS-RPT record will be published at: _smtp._tls.yourdomain.com

Live Preview

Configure your domain settings above to generate a TLS-RPT record

TLS-RPT Information & Resources

What is TLS-RPT?

TLS-RPT (Transport Layer Security Reporting) is a mechanism defined in RFC 8460 that allows sending email servers to share statistics and details about potential TLS failures with recipient domain owners.

It works alongside MTA-STS and DANE to provide visibility into secure email delivery, helping domain owners understand when and why secure connections fail.

Key Benefits:

Monitor TLS connection failures in real-time
Identify certificate and configuration issues
Improve email security posture
Compliance with security standards
Enhanced visibility into email delivery security

Common TLS Failure Types

Failure Type	Category	Description
`starttls-not-supported`	TLS Negotiation	The receiving server does not support STARTTLS extension
`certificate-host-mismatch`	Certificate Issues	Server certificate does not match the hostname
`certificate-not-trusted`	Certificate Issues	Server certificate is not trusted by the sending server
`certificate-expired`	Certificate Issues	Server certificate has expired
`validation-failure`	TLS Negotiation	General TLS validation error occurred
`sts-policy-fetch-error`	MTA-STS Related	Unable to retrieve MTA-STS policy from the well-known URL
`sts-policy-invalid`	MTA-STS Related	MTA-STS policy contains syntax errors or invalid directives
`sts-webpki-invalid`	MTA-STS Related	Certificate validation failed under WebPKI constraints
`tlsa-invalid`	DNS/DANE Related	DANE TLSA record validation failed
`dnssec-invalid`	DNS/DANE Related	DNSSEC validation failed for DANE records
`dane-required`	DNS/DANE Related	DANE TLSA records are required but not found

Best Practices

Use multiple reporting endpoints for redundancy
Monitor report volumes to ensure your endpoints can handle the load
Set up proper authentication for HTTPS endpoints
Consider using a dedicated subdomain for TLS reporting
Regularly review failure reports to identify delivery issues
Coordinate TLS-RPT deployment with MTA-STS implementation
Test your reporting endpoints before publishing DNS records
Keep DNS TTL reasonably low during initial deployment
Document your TLS-RPT implementation for your team

DNS Setup Guide

DNS Record Details

TLS-RPT records must be published as TXT records at a specific subdomain:

_smtp._tls.yourdomain.com

Record Format

The basic TLS-RPT record format includes:

v=TLSRPTv1 - Version identifier (required)
rua= - Comma-separated list of reporting URIs (required)

Example Records

Email only:

v=TLSRPTv1; rua=mailto:tls-reports@example.com

Multiple endpoints:

v=TLSRPTv1; rua=mailto:tls-reports@example.com,https://reports.example.com/tls

DNS Propagation

After publishing your TLS-RPT record, allow up to 48 hours for DNS propagation. You can verify the record using DNS lookup tools.

TLS-RPT Record Generator

Domain Configuration

Domain Information

TLS-RPT Information & Resources

Key Benefits:

DNS Record Details

Record Format

Example Records

DNS Propagation

Official Documentation

Testing Tools

Educational Resources

Settings

System Utilization

TLS-RPT Record Generator

Domain Configuration

Domain Information

TLS-RPT Information & Resources

Key Benefits:

DNS Record Details

Record Format

Example Records

DNS Propagation

Official Documentation

Testing Tools

Educational Resources