100% FREE TOOL

TLS-RPT Record Checker

Verify your SMTP TLS Reporting configuration instantly. Improve email delivery troubleshooting and security compliance.

TLS-RPT Record Checker

Enter a domain name to check its TLS Reporting (TLS-RPT) records instantly.

What is TLS-RPT (SMTP TLS Reporting)?

TLS-RPT (Transport Layer Security Reporting) is an email security standard defined in RFC 8460. It allows email domain owners to request diagnostic reports from external mail servers (like Gmail, Outlook, etc.) about the success or failure of TLS encryption when delivering emails to their domain.

When you implement strict security protocols like MTA-STS (Mail Transfer Agent Strict Transport Security), it's crucial to know if emails are failing due to encryption issues. TLS-RPT closes this feedback loop by specifying a destination (usually an email address or a web URI) where these failure reports should be sent. This provides invaluable visibility into potential inter-compatibility issues or active attacks against your email infrastructure.

Why is TLS-RPT Crucial?

  • Visibility: See exactly why secure connections to your server fail.
  • Troubleshooting: Identify misconfigurations in your MTA-STS policy or SSL certificates.
  • Security: Detect potential downgrade attacks or Man-in-the-Middle (MitM) attempts.
  • Compatibility: Ensure you are not accidentally rejecting valid email traffic.

How to Use This Tool

1

Enter Domain Name

Type your domain (e.g., example.com) into the search bar above.

2

Click Check Record

Hit the button to query the DNS for the `_smtp._tls` TXT record.

3

Analyze Results

Review the raw record and parsed data. We'll show you if the record is valid and where reports are being sent (e.g., `mailto:` or `https:`).

Common TLS-RPT Record Syntax

A typical TLS-RPT record is published as a DNS TXT record at the subdomain `_smtp._tls`. It looks like this:

v=TLSRPTv1; rua=mailto:[email protected]
  • v=TLSRPTv1: Identifies the version of the protocol.
  • rua=...: "Reporting URI(s) for Aggregate data". This specifies where the reports should be sent. Common values use `mailto:` for email delivery or `https:` for web post delivery.

Related Tools

TLS-RPT is part of a larger ecosystem of email authentication protocols. Check out our other free tools to fully secure your domain:

FAQFrequently Asked Questions

Q:What is a TLS-RPT record and why is it important for email security?

A TLS-RPT (Transport Layer Security Reporting) record is a DNS TXT record that enables domain owners to receive reports about TLS encryption failures from external mail servers. It is defined in RFC 8460. It is important because it provides visibility into email delivery issues caused by encryption failures, certificate errors, or active attacks (like downgrades), which are critical for maintaining a secure email infrastructure alongside MTA-STS.

Q:How do I fix "No TLS-RPT record found" errors?

The error "No TLS-RPT record found" means the DNS lookup for _smtp._tls.yourdomain.com failed to return a valid TXT record. To fix this:
  • Ensure you have created a TXT record at the subdomain _smtp._tls.
  • Verify the record starts with the version tag v=TLSRPTv1.
  • Check that the record is published in the correct DNS zone (e.g., not on the root domain if it should be on a subdomain).

Q:What is the correct syntax for a TLS-RPT DNS record?

A valid TLS-RPT record must use the TXT type and be placed at _smtp._tls.[domain]. The content requires a version tag and at least one reporting URI.
Example: v=TLSRPTv1; rua=mailto:[email protected]
Keys:
  • v=TLSRPTv1: Version identifier (mandatory).
  • rua=...: Reporting URI(s) for aggregate reports (mandatory).

Q:How do I troubleshoot invalid "rua" syntax in TLS-RPT?

Invalid rua syntax often occurs due to missing schemes or incorrect delimiters.
  • Scheme required: You must include mailto: for emails or https: for web endpoints. (e.g., rua=mailto:[email protected]).
  • Separators: Multiple URIs must be separated by commas (e.g., rua=mailto:[email protected],https://report-uri.com).
  • Semicolons: Use semicolons to separate different tags (e.g., v=TLSRPTv1; rua=...).

Q:Can I use both mailto and https in my TLS-RPT record?

Yes, the TLS-RPT standard (RFC 8460) allows you to specify multiple delivery methods in the rua tag. This provides redundancy.
Example: rua=mailto:[email protected],https://collector.example.com/v1/tls-rpt.
Senders will attempt to deliver reports to the listed URIs, often trying them in order or based on support.

Q:What is the relationship between MTA-STS and TLS-RPT?

MTA-STS (Strict Transport Security) is the mechanism that enforces encryption, telling servers "You MUST encrypt emails to this domain." TLS-RPT is the reporting mechanism that tells you "Here is what happened when servers tried to encrypt."
While they can be used independently, they are best used together. MTA-STS prevents attacks, and TLS-RPT warns you if that protection is causing delivery failures due to misconfiguration.

Q:Why am I not receiving TLS-RPT reports (troubleshooting)?

If you have configured TLS-RPT but aren't seeing reports:
  • Volume: Only major providers (Google, Microsoft, etc.) send these reports, and usually only if they encounter traffic or issues. Low-volume domains may not receive daily reports.
  • Time: Reports are typically aggregated and sent once every 24 hours.
  • Syntax: Use this TLS-RPT Checker to ensure your record is syntactically correct and visible to the world.

Related DNS & Network Tools

Explore more powerful tools in this category.

MX Record Checker

Check Mail Exchange (MX) records for any domain name instantly.

SPF Record Checker

Verify Sender Policy Framework (SPF) records to prevent email spoofing.

DKIM Record Lookup

Retrieve and verify DomainKeys Identified Mail (DKIM) records.

DMARC Checker

Analyze DMARC records to ensure email authentication policies.

BIMI Record Checker

Check Brand Indicators for Message Identification (BIMI) records.

MTA-STS Record Checker

Verify MTA Strict Transport Security configurations.

Email Blacklist Checker

Check if your mail server IP is listed on major DNSBL blacklists.

Online Port Checker

Check if a specific port is open on a target server or IP.

Advance DNS Leak Test

Verify if your VPN is leaking DNS queries and protect your online privacy.

Resolve IP to Hostname

Perform a reverse DNS lookup to find the hostname of an IP.

Website to IP Lookup

Convert domain names to IP addresses with detailed DNS and geolocation information.

Advanced Traceroute Online

Record the whole path through which network request routes to the provided Domain or IP Address.

Advanced - IPsec VPN Phase 1 & 2 Parameter Matcher

Troubleshoot VPN site-to-site configuration mismatches by comparing Local and Remote Phase 1 and Phase 2 parameters.

Advanced DNSSEC Checker

Verify DNSSEC records (DNSKEY, DS, RRSIG) and check the Chain of Trust status instantly.

Advanced DANE Record Checker

Check and validate TLSA records for DANE (DNS-Based Authentication of Named Entities).

Advanced VoIP MOS Score Calculator

Calculate Mean Opinion Score (MOS) for VoIP based on Latency, Jitter, and Packet Loss.

Advanced Fresnel Zone Calculator

Calculate 1st Fresnel Zone radius and recommended clearance for wireless links.

Advanced EIRP Calculator

Calculate Effective Isotropic Radiated Power (EIRP) for wireless links.

Advanced Fiber Loss Budget Calculator

Calculate total optical fiber loss budget, including splices and connectors, for reliable network planning.

Advanced Antenna Downtilt and Coverage Calculator

Calculate optimal antenna downtilt angle and coverage radius for precise network planning.

Advanced MTU Calculator

Calculate MTU, MSS, and protocol overheads (IPv4, IPv6, VLAN, PPPoE, etc.) for network optimization.