Loading...
WebShield Audit
TLS-RPT (SMTP TLS Reporting) Checker
See the TLS failures your mail server never tells you about.
Hands off to the full WebShield scanner, which covers this check alongside every other header, DNS and email auth probe.
TLS-RPT (RFC 8460) is the feedback loop MTA-STS was missing. Without it, you publish a policy and hope it works - TLS failures between sending MTAs and your servers are invisible. With TLS-RPT, conformant senders submit daily JSON reports to an endpoint you choose, listing every TLS negotiation failure, certificate mismatch, DNS issue and policy violation. WebShield verifies the TXT record and the reporting endpoints are both live.
What this tool checks
- _smtp._tls.<domain> TXT record with v=TLSRPTv1
- rua field syntax (mailto:, https:)
- Resolvability of the rua targets
- HTTPS certificate validity on https: rua endpoints
- Coexistence with an MTA-STS policy (TLS-RPT without MTA-STS is half-blind)
Why it matters
TLS-RPT is how you discover that a certificate rotation on a third-party MX host silently broke mail delivery from 4% of senders. Without it, you find out when someone complains. Every mature email security posture pairs MTA-STS enforce with TLS-RPT - the policy sets the guarantee, the reports verify it holds.
How WebShield tests this
The scanner resolves _smtp._tls.<domain> and parses the TXT record for v=TLSRPTv1 and rua= values. Each rua URI is validated: mailto: addresses must parse as valid email; https: URIs must resolve and serve a valid certificate that the reporting sender will trust. The scanner also checks that a matching MTA-STS policy exists - TLS-RPT on its own is legal but strictly weaker.
Paste-ready fixes
DNS (mailto rua)
_smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=mailto:[email protected]"DNS (HTTPS endpoint)
_smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=https://reports.example.com/tls-rpt"DNS (multiple endpoints)
_smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=mailto:[email protected],https://api.urimanager.example/tls-rpt"Recommended third-party processors
# TLS-RPT reports arrive as daily JSON gzipped. Options:
# 1. Dedicated processors (URIports, Postmark, Valimail, Red Sift) - parse and dashboard
# 2. Self-host: receive at tls-reports@<domain>, decode with a gzip+json pipeline
# 3. HTTPS endpoint: accept POST with Content-Type: application/tlsrpt+gzipFrequently asked
What does a TLS-RPT report look like?
A daily gzipped JSON document listing each policy and the counts of successful and failed TLS negotiations, broken down by failure type (STARTTLS stripping, expired certificate, mismatched MX, etc.). Mailbox reports arrive as attachments; HTTPS reports are POSTed with Content-Type: application/tlsrpt+gzip.
Do I need MTA-STS to use TLS-RPT?
Technically no, but TLS-RPT without MTA-STS reports on an opportunistic-TLS baseline that is trivially bypassable. The pairing is: MTA-STS declares the requirement, TLS-RPT tells you when it's violated. Publish them together.
Can I send reports to a third-party processor?
Yes. Point rua at the processor-provided address or endpoint. Most commercial processors (URIports, Postmark, Red Sift, Valimail) handle TLS-RPT alongside DMARC reporting.
How much volume should I expect?
One report per sending domain per day, gzipped JSON typically under 5 KB. Large senders (Google, Microsoft) submit daily; smaller senders may skip days with no activity.
Related
Knowledge base
Missing DMARC Policy
High severity · Email
Knowledge base
Missing DKIM Signature
High severity · Email
Knowledge base
Missing SPF Record
High severity · Email
Deep guide
MTA-STS: A Complete Setup Guide (with TLS-RPT and DANE context)
Publish an HTTPS-backed SMTP TLS policy the way receiving MTAs expect to consume it.
Deep guide
DMARC: From p=none to p=reject, Safely
The alignment work between p=none and p=reject is the real DMARC project.
Tool
MTA-STS Checker
Check your SMTP TLS policy the way receiving MTAs do.
Tool
BIMI Checker
Verify your brand logo will render in conformant inbox providers.
Tool
DNSSEC Checker
Follow the chain of trust from the root down to your zone.