Email health

SMTP TLS Reporting (TLS-RPT)

The reporting half of MTA-STS / DANE. A daily JSON digest of every TLS handshake failure to your domain — the only way to know your inbound mail is being downgraded.

Authority: IETF
Version: RFC 8460
Jurisdiction: Global
Source: datatracker.ietf.org
Last reviewed: 2026-04-28
Last verified: pending

What it is

SMTP TLS Reporting — RFC 8460. A `_smtp._tls` DNS TXT record advertising a `mailto:` or `https:` endpoint that receives aggregate JSON reports of TLS negotiation failures and policy validation failures from sending MTAs.

Why it matters

Setting MTA-STS without TLS-RPT is flying blind. Reports surface expired certs, broken cipher suites, and MITM downgrade attempts before users complain. Trivial to enable; pays for itself the first time you catch a misconfig.

Who it applies to

Every domain that publishes an MTA-STS or DANE policy.

How WQI scores it

Web Quality Index considers this standard satisfied when the supporting factor passes.

#	Factor	Status
24	MTA-STS & TLS-RPT	planned

0 of 1 supporting factors are currently collected. Sites where the remaining 1 haven't been measured will show as partial or unknown on this standard until the data lands.

Related standards

See also: MTA-STS , DMARC

Standards that share factors with this one

Auto-computed from overlapping factor tickets in satisfiedBy, excluding standards already listed under "See also" above. Strong overlap suggests these standards rise and fall together when sites are scored.

DANE for SMTP 1 shared factor Security DNSSEC-anchored TLSA records that pin the certificate your mail server presents. The other (older, stricter) path to authenticated mail-in-transit alongside MTA-STS.

Other references

rfc RFC 8461 — MTA-STS (companion spec)

Examples

Passing DNS record dns

_smtp._tls.example.com.  IN TXT  "v=TLSRPTv1; rua=mailto:tls-reports@example.com"

rua= can also be an HTTPS endpoint that receives the JSON report. Most ESPs will parse it for you.