TLS-RPT — SMTP TLS Reporting

RFC: 8460 (Sept 2018) Layer: Reporting (transport security) Companion to: MTA-STS (8461), DANE (7672) Top sender: Google #1, Microsoft #2 Last updated: May 2026 Reading time: 13 min
Definition

SMTP TLS Reporting — a feedback mechanism by which sending mail servers share daily statistics about TLS connection success and failure when delivering mail to a domain. The recipient publishes a DNS TXT record at _smtp._tls.example.com declaring an aggregate report URI (mailto: or https:); compliant senders submit JSON reports daily covering observed policies (MTA-STS, DANE), session counts, and detailed failure breakdowns by result-type. TLS-RPT is the visibility layer that makes safe MTA-STS rollout possible — without it, advancing from testing to enforce mode means flying blind.

The visibility problem TLS-RPT solves

SMTP TLS issues are uniquely invisible from the recipient's perspective. When a sending MTA encounters a TLS problem delivering to your domain — an expired certificate on an MX host, a STARTTLS-stripping attacker, an MTA-STS policy mismatch, an invalid DANE TLSA record — the failure happens entirely on the sender's side, before any mail arrives at your servers. You have no log entries to inspect, no SMTP transcript to analyze, no symptom in your own infrastructure. The mail simply doesn't arrive, or arrives in plaintext when it should have been encrypted, and you have no way to know.

This invisibility becomes operationally dangerous as soon as you deploy MTA-STS in enforce mode. Under enforce, sending MTAs that fail TLS verification will refuse to deliver the message — legitimate mail bounces. Without TLS-RPT, the only signal you receive is angry users complaining that their email isn't arriving, days after the failure window started. The testing → enforce rollout sequence is fundamentally a TLS-RPT-driven process: publish the policy in testing mode, monitor TLS-RPT reports for 2-4 weeks, fix every failure category that appears in reports, then advance to enforce.

The same applies to DANE. Without TLS-RPT, a misconfigured TLSA record or a DNSSEC validation failure causes silent delivery loss with no diagnostic signal at the receiver. TLS-RPT reports DANE failures with the same structure as MTA-STS failures, identifying TLSA-specific result-types like tlsa-invalid and dnssec-invalid.

How TLS-RPT works — the reporting flow

TLS-RPT is operationally simple compared to most email security protocols: one DNS TXT record, no infrastructure, no certificates, no policy file. Sending MTAs that support TLS-RPT check for the record before delivering mail to your domain; if present, they aggregate session statistics throughout the day and submit a JSON report at the end of the 24-hour reporting window.

Step 1 — Publication
Domain owner publishes _smtp._tls.example.com TXT Record contains v=TLSRPTv1; rua=mailto:... or https:...
Step 2 — Sender discovery
Sending MTA queries _smtp._tls.example.com If record exists, accumulate per-session stats
Step 3 — Daily aggregation
24-hour UTC window (00:00 → 24:00) Random delay 0-4h Generate gzipped JSON report
Step 4 — Submission
Send to rua= endpoint(s) mailto: → email attachment / https: → POST application/tlsrpt+gzip

Reports arrive once per 24-hour period from each sender that supports TLS-RPT. A typical domain receiving inbound mail from Gmail, Microsoft 365, and a handful of corporate senders sees 5-15 reports per day. The first report typically arrives 24-48 hours after the TXT record is published, with Google usually being the first to deliver one.

The DNS TXT record

# DNS TXT record at _smtp._tls.example.com _smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=mailto:tls-reports@example.com" # HTTPS endpoint instead of email: _smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=https://reports.example.com/v1/tlsrpt" # Multiple endpoints (comma-separated): _smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=mailto:tls-reports@example.com,https://reports.example.com/v1/tlsrpt" # Manual lookup from command line $ dig +short TXT _smtp._tls.example.com "v=TLSRPTv1; rua=mailto:tls-reports@example.com" # Required directives: # v=TLSRPTv1 — version (always TLSRPTv1, no v=1 or v=TLSRPT) # rua=<URI> — at least one aggregate report URI # Optional directives: # Standard does not currently define ruf= (per-failure URI) — only rua= is used
The TLS-RPT record is per-domain, not inherited. If you operate example.com and example.org, each needs its own _smtp._tls.<domain>. TXT record. Sending MTAs perform DNS lookup at _smtp._tls.<recipient-domain> based on the recipient's domain, not the organizational domain. You can point all records to the same rua= mailbox or HTTPS endpoint — that's fine — but each domain must have its own TXT record published.

The JSON report — anatomy field by field

The TLS-RPT report is a JSON document, gzip-compressed for transport. Files arrive as .json.gz attachments (email transport) or as gzipped POST bodies (HTTPS transport) with media type application/tlsrpt+gzip. Below is a real-shape report with annotations on every field — the structure most documentation glosses over.

{ "organization-name": "Google Inc.", // the sender's organization "date-range": { "start-datetime": "2026-05-05T00:00:00Z", // 24h UTC reporting window start "end-datetime": "2026-05-06T00:00:00Z" // window end }, "contact-info": "smtp-tls-reporting@google.com", // sender's contact for questions "report-id": "2026-05-06T00:00:00Z_example.com", // unique report identifier "policies": [ // array — one entry per policy observed { "policy": { "policy-type": "sts", // "sts" | "tlsa" | "no-policy-found" "policy-string": [ // raw policy lines as observed "version: STSv1", "mode: enforce", "mx: mx1.example.com", "max_age: 604800" ], "policy-domain": "example.com" // the domain the policy applies to }, "summary": { "total-successful-session-count": 4523, // sessions that succeeded under the policy "total-failure-session-count": 2 // sessions that failed }, "failure-details": [ // only present if failures > 0 { "result-type": "certificate-expired", // one of 11 RFC 8460 result types "sending-mta-ip": "209.85.220.41", // sender's IP that hit the failure "receiving-mx-hostname": "mx1.example.com", // recipient MX where it failed "failed-session-count": 2, // number of sessions with this failure "additional-information": "https://...", // optional URL with more detail "failure-reason-code": "X509_V_ERR_CERT_HAS_EXPIRED" // optional protocol error code } ] } ] }

Reports without failures still arrive — they're not just error reports. The summary block tells you how many TLS sessions succeeded, which is useful for tracking overall sender volume and confirming MTA-STS policy is being observed. The failure-details array is what you focus on when debugging.

The 11 result-types — what each one means and how to fix it

RFC 8460 defines 11 standardized failure types in three categories: certificate failures (cert problems on the receiving MX), STARTTLS failures (TLS negotiation problems), and policy failures (MTA-STS or DANE policy issues). Most documentation lists 3-4 of these. Below is the complete set with the operational fix for each — the table that actually closes the diagnostic loop.

Categoryresult-typeMeaningOperational fix
Certificate certificate-host-mismatch TLS cert presented by your MX doesn't match the expected hostname (cert is for a different domain). Issue a new cert whose SAN includes the exact MX hostname (e.g., mx1.example.com). Wildcard certs work if the MX is at the wildcard level.
Certificate certificate-expired Cert presented by your MX has passed its validity end date. Renew immediately. Set up automated renewal (Let's Encrypt + certbot, ACME automation) with at least 30-day buffer before expiration.
Certificate certificate-not-trusted Cert chain not trusted by sender's PKI store. Often means missing intermediate cert, self-signed cert, or untrusted CA. Configure the MX to serve full intermediate cert chain. Verify with openssl s_client -connect mx1.example.com:25 -starttls smtp -showcerts.
STARTTLS starttls-not-supported Your MX didn't advertise STARTTLS during the EHLO response. Mail flowed in plaintext (or was rejected under MTA-STS enforce). Enable STARTTLS on the receiving MTA (Postfix smtpd_tls_security_level = may, Exim tls_advertise_hosts). Verify with telnet to port 25 + EHLO.
STARTTLS validation-failure Generic TLS handshake failure not categorized above. Often cipher mismatch, TLS version mismatch, or protocol error. Check TLS version (require TLS 1.2+, disable SSLv3/TLS 1.0/TLS 1.1), audit cipher suite list. openssl s_client -tls1_2 to test specific versions.
Policy sts-policy-fetch-error Sender couldn't retrieve MTA-STS policy via HTTPS. DNS resolution, TCP connectivity, HTTP error, or timeout. Verify mta-sts.example.com A/AAAA records, HTTPS reachability, port 443 open. Test with curl -I https://mta-sts.example.com/.well-known/mta-sts.txt.
Policy sts-policy-invalid MTA-STS policy file syntax invalid: missing required directives, malformed mx: lines, version not STSv1. Validate policy syntax with URIports, MxToolbox, or CaptainDNS validator. Re-publish corrected policy and bump id in DNS TXT.
Policy sts-webpki-invalid HTTPS cert at MTA-STS policy host (mta-sts.example.com) failed PKIX validation: expired, self-signed, hostname mismatch. Provision a valid cert for mta-sts.<domain> via Let's Encrypt. Auto-renew. Same constraints as your MX certs.
Policy tlsa-invalid DANE TLSA record failed validation. Cert hash doesn't match TLSA record's hash, or TLSA record is malformed. Regenerate TLSA records when MX cert changes. Use openssl x509 -in cert.pem -outform DER | sha256sum for SHA-256 hash. Update TLSA per usage/selector/matching type.
Policy dnssec-invalid DNSSEC validation failed for a record needed by DANE evaluation. Zone signatures invalid, expired, or chain broken. Audit DNSSEC chain with dig +trace +dnssec example.com or DNSViz. Common: expired DNSKEY/RRSIG, KSK rotation without DS update at parent.
Policy dane-required Sender's policy required DANE but recipient didn't publish TLSA records. Sender refused delivery. Either publish DANE TLSA records (and DNSSEC-sign the zone), or coordinate with the sender to relax the DANE-required requirement on their side.

Diagnostic workflow — failure type to root cause to fix

When a TLS-RPT report shows non-zero failures, the result-type is the diagnosis starting point. Below is the operational triage flow most teams need: which result-types are typically symptomatic of which underlying conditions, ordered by frequency in production environments.

certificate-expired

Root: forgotten cert renewal

Most common failure across the fleet. Almost always means a cert renewal cycle was missed on a specific MX host. Check every MX in your domain — the failure is typically isolated to one host while others are healthy.

→ Set up automated cert renewal with monitoring

certificate-host-mismatch

Root: cert SAN doesn't include MX hostname

Cert was issued for the apex domain or a different subdomain. Common after MX hostname changes. Less common at major providers because they manage certs centrally.

→ Reissue cert with all MX hostnames in SAN

certificate-not-trusted

Root: missing intermediate cert in MX chain

Common after migrating to a new CA. The leaf cert is valid but the intermediate cert isn't being served by the MTA. Some senders fetch intermediates dynamically (AIA), but not all do — serve the full chain to be safe.

→ Configure MTA to serve full cert chain

starttls-not-supported

Root: secondary MX lacks TLS config

Often a backup or secondary MX added years ago without proper TLS configuration. Primary MX works, secondary doesn't. Audit every MX, not just the primary.

→ Enable STARTTLS on every listed MX

sts-policy-fetch-error

Root: HTTPS policy host unreachable

Most common cause: missing A/AAAA record at mta-sts.<domain>. Less common: webserver outage, firewall blocking port 443, ACME renewal failure leaving cert expired.

→ Verify A/AAAA + HTTPS reachability

sts-webpki-invalid

Root: cert at policy host expired or wrong

Distinct from MX cert issues — this is the cert at mta-sts.example.com, the HTTPS host serving the policy. Often forgotten in renewal automation because it's a separate hostname.

→ Include policy host in cert renewal automation

validation-failure (generic)

Root: TLS version or cipher mismatch

Catch-all for handshake failures not categorized elsewhere. Usually traces to disabled TLS 1.2/1.3, weak ciphers excluded, or older sender that doesn't support your modern config.

→ Audit TLS config; require TLS 1.2+, modern ciphers

tlsa-invalid (DANE only)

Root: TLSA record stale after cert rotation

DANE-specific. When the MX cert is renewed, the TLSA record's hash must be updated to match the new cert. Forgetting this step is the #1 DANE operational issue.

→ Automate TLSA record update with cert renewal

rua= endpoint patterns — mailto vs HTTPS vs multi

The rua= directive supports three deployment patterns. Choice depends on report volume, processing requirements, and operational preferences. None is wrong; each has trade-offs.

mailto: pattern Most common

rua=mailto:tls-reports@example.com

Reports arrive as email attachments to a dedicated mailbox. Easy to set up — no infrastructure beyond a mailbox. Compatible with all senders.

+ Pros:
  • Zero infrastructure — just a mailbox
  • Universal sender compatibility
  • Easy manual review
− Cons:
  • If your TLS infra has issues, reports may also fail to arrive
  • 10MB attachment limits at receiving mail systems
  • Manual aggregation across providers

HTTPS endpoint High volume

rua=https://reports.example.com/v1/tlsrpt

Reports POSTed to your HTTPS endpoint with content-type application/tlsrpt+gzip. Direct ingestion into analytics pipelines.

+ Pros:
  • Independent of your mail infrastructure
  • Direct to processing pipeline
  • Higher reliability for high-volume domains
− Cons:
  • Need an HTTPS endpoint accepting POSTs
  • Some senders skip HTTPS endpoints
  • Slightly more complex setup

Multiple endpoints Redundancy

rua=mailto:...,https://...

Comma-separated list. Per RFC 8460, senders MAY attempt all listed endpoints — providing redundancy in case one fails.

+ Pros:
  • Fallback if one endpoint fails
  • Multiple analytics platforms simultaneously
  • Email + HTTPS combo for review + analytics
− Cons:
  • Microsoft only sends to the FIRST endpoint — see callout below
  • Some redundancy theoretical, not practical
The Microsoft rua= flaw. A documented Microsoft 365 implementation issue: when multiple rua= URIs are listed comma-separated, Microsoft sends reports only to the first URI, ignoring all subsequent endpoints. Other senders (Google, Comcast, Mimecast) attempt all listed URIs per RFC. The practical impact: if you're using a TLS-RPT analytics platform but your dedicated mailbox is listed first, the analytics platform will receive Microsoft reports indirectly (forwarded by your mailbox), but if the analytics platform endpoint is listed second, it receives 0 Microsoft reports directly. Solution: put your most important rua= endpoint first. This is the most common cause of "we have TLS-RPT but reports look incomplete" investigation traces.

Sender support matrix — who actually sends TLS-RPT reports

Despite TLS-RPT being on the books since 2018, sender support is uneven. Below is the empirical sender matrix as of May 2026, based on URIports' aggregated report ingestion data and report metadata inspection across hundreds of receiving domains. The list is roughly ordered by volume of reports generated.

SenderSends TLS-RPT?StartedNotes
1 Google / Gmail ✓ Yes April 2019 First major provider to support. Largest volume of reports. Sends to all listed rua= endpoints.
2 Microsoft 365 ✓ Yes (with bug) 2022 Reports only sent to first rua= endpoint listed. Threshold: 2 emails in 24h UTC window.
3 Comcast ✓ Yes 2021 One of the original RFC 8460 author organizations. Reliable reporter.
4 Mail.ru ✓ Yes 2020 Major Russian provider. Significant volume for domains with .ru recipients.
5 Mimecast ✓ Yes 2022 Email security gateway provider. Reports cover both their own outbound and customers using their relay.
Yahoo / AOL ⚠ Inconsistent Some reports observed but not consistently. Coverage may improve over time.
Apple iCloud Mail ✗ No Apple has not announced TLS-RPT support as of May 2026.
Proton Mail ✗ No Not supported in 2026. Proton-to-domain mail bypasses TLS-RPT visibility.
Fastmail ✗ No Not implemented as of 2026.
Cisco IronPort gateway ✗ No Enterprise email gateway; doesn't generate TLS-RPT reports.
Proofpoint ⚠ Limited Some Proofpoint configurations send reports; not universal.
What sender coverage means in practice. The five top senders (Google, Microsoft, Comcast, Mail.ru, Mimecast) cover the bulk of inbound mail to most B2C-receiving domains and a meaningful share of B2B. For a typical enterprise receiving mail from these senders plus various corporate Exchange/Postfix systems, TLS-RPT reports cover roughly 60-80% of inbound mail volume. The remaining gap (Apple, Yahoo inconsistent, Proton, Fastmail, various corporate MTAs) means TLS-RPT is a high-quality signal but not a complete picture. Treat reports as "best available visibility" rather than "complete monitoring."

TLS-RPT vs DMARC reports — same architecture, opposite direction

If you're already operating DMARC aggregate (RUA) reporting, TLS-RPT will feel architecturally familiar. The protocols use the same DNS TXT + rua= URI pattern, the same daily 24-hour aggregation window, the same gzipped-XML/JSON format approach. They're complementary, not redundant — they cover different layers.

DimensionDMARC RUA reportsTLS-RPT reports
Protocol DMARC (RFC 7489) TLS-RPT (RFC 8460)
What it monitors SPF/DKIM authentication results, alignment TLS encryption success/failure, MTA-STS/DANE policy compliance
Direction of flow Receiver → sender (who claimed to send as you) Sender → receiver (whether senders encrypted to you)
Layer Message authentication Transport security
DNS location _dmarc.example.com _smtp._tls.example.com
Format XML, gzip-compressed JSON, gzip-compressed
Frequency Daily (24h aggregation) Daily (24h aggregation)
Versioning v=DMARC1 v=TLSRPTv1
Endpoints rua=mailto:... rua=mailto:... or rua=https://...

Both should be deployed. DMARC tells you who's sending as your domain; TLS-RPT tells you whether the senders are encrypting to your servers. Without DMARC RUA, you don't know who's spoofing you. Without TLS-RPT, you don't know whether your transport security is working. Mature email security postures have both deployed and both reports actively reviewed.

Operational considerations for the rua= mailbox

If using rua=mailto:, the receiving mailbox needs specific considerations that don't apply to typical mailboxes. Misconfigurations here are responsible for "TLS-RPT is set up but I never see any reports" investigations.

Mailbox auto-rejects messages with attachments

Senders stop trying after a few bounces

Some mail systems block all attachments, treating them as spam. TLS-RPT reports are gzipped JSON attachments. If your mailbox rejects them, sending MTAs eventually mark your domain as undeliverable for reports. Fix: dedicated mailbox with attachment policy permissive for application/tlsrpt+gzip and application/json.

Mailbox over quota

Newer reports bounce; old reports linger

Daily reports across multiple senders accumulate quickly. A 5-15 reports/day domain receives ~5,000 reports/year. Without rotation or auto-archival, the mailbox fills up. Fix: auto-purge reports older than 30 days, or use a mailbox with high quota.

Auto-responder sending replies

Sender mail systems may treat replies as bounces

Out-of-office or "thank you, we received your message" replies on the rua= mailbox can be misinterpreted by sender's bounce processing. Best to use a no-reply mailbox or one with auto-responders disabled.

Spam filtering catches reports

Reports arrive in junk folder, not inbox

Some spam filters flag inbound mail with gzip attachments and JSON content. Reports may be quarantined silently. Fix: whitelist known TLS-RPT senders (Google, Microsoft, Comcast SMTP IPs) or use HTTPS endpoint to bypass mail filtering entirely.

TLS-RPT in Cloud Server for Email's managed infrastructure

For clients on managed PowerMTA + MailWizz infrastructure, TLS-RPT is configured alongside MTA-STS during the day 1-3 onboarding sequence. The patterns we use across most accounts:

  • Hosted HTTPS endpoint by default. Each client domain gets rua=https://<cse-tlsrpt-endpoint> pointing to our managed ingestion. Reports are parsed, normalized, and aggregated across all client domains in a single dashboard. Avoids the mailbox quota and attachment-handling concerns above.
  • Pre-MTA-STS deployment. TLS-RPT goes live before MTA-STS even in testing mode. This way the first 7 days produce baseline data on TLS issues before adding policy-related failures into the report stream. Helps distinguish baseline TLS issues (bad cert on a secondary MX) from policy-introduced issues.
  • First-position endpoint. Where clients want both an internal mailbox and our managed endpoint, the rua= list is structured with our endpoint first to ensure Microsoft reports route to analytics. The internal mailbox receives forwarded copies via our processing layer if needed.
  • Weekly review of failure-details across all clients. Aggregate failure-type counts per client domain are reviewed weekly. Most domains show zero or single-digit failures per week; any sustained pattern triggers investigation. Persistent certificate-expired on a specific MX = renewal automation issue. Persistent starttls-not-supported = secondary MX misconfiguration.
  • Proactive certificate expiration monitoring. Independent of TLS-RPT, our managed infra monitors cert expiration for every MX host across client domains. The combination ensures issues are caught before TLS-RPT reports them — TLS-RPT becomes confirmation rather than first detection.
  • Cross-correlation with DMARC aggregate reports. Both report streams flow into the same dashboard for clients running both. Patterns across both layers (e.g., DMARC failures correlated with TLS issues at specific senders) surface attack patterns that neither protocol catches alone.

Auditing your TLS-RPT — practical workflow

# 1. Verify the DNS TXT record exists and is well-formed $ dig +short TXT _smtp._tls.example.com "v=TLSRPTv1; rua=mailto:tls-reports@example.com" # 2. Verify rua= endpoint is reachable # For mailto: send a test message and verify it lands $ echo "test" | mail -s "TLS-RPT test" tls-reports@example.com # For https: send a test POST and verify 200 response $ curl -X POST https://reports.example.com/v1/tlsrpt \ -H "Content-Type: application/tlsrpt+gzip" \ --data-binary @sample-report.json.gz # 3. Check report arrival 24-48 hours after publication # Google typically delivers first; check rua= mailbox/endpoint # 4. Validate JSON report structure $ gunzip -c report.json.gz | jq '.' # 5. Aggregate failure counts $ gunzip -c report.json.gz | \ jq '.policies[].failure-details[]?."result-type"' | sort | uniq -c # 6. Use online validators for syntax check # - URIports TLS-RPT lookup # - MxToolbox TLS-RPT validator # - CaptainDNS TLS-RPT checker # 7. Schedule weekly review of failure-details across all reports # Group by result-type, sender, and receiving-mx-hostname # Patterns surface infrastructure issues
  • MTA-STS — the policy mechanism that enforces TLS for inbound mail. TLS-RPT is its companion reporting layer.
  • DANE/TLSA — alternative transport-security mechanism using DNSSEC. TLS-RPT also reports DANE failures with policy-type: tlsa. (Coming soon)
  • STARTTLS — the SMTP TLS upgrade extension whose failures are reported via starttls-not-supported and validation-failure result-types. (Coming soon)
  • DNSSEC — required for DANE; failures appear in TLS-RPT as dnssec-invalid. (Coming soon)
  • DMARC — message-authentication reporting; same architecture, opposite direction. Both should be deployed.
  • SPF, DKIM — message-authentication; complementary to TLS-RPT's transport-security layer.

Frequently asked questions

What is TLS-RPT and why does it exist?

TLS-RPT (SMTP TLS Reporting, RFC 8460) is a feedback mechanism by which sending mail servers share daily reports about TLS connection success and failure when delivering to your domain. It exists because TLS-related delivery problems (expired certificates, STARTTLS stripping, MTA-STS policy violations, DANE failures) are otherwise invisible to the recipient — the receiver doesn't know that legitimate mail bounced because of a TLS issue at the sender's end. TLS-RPT closes that gap with structured JSON reports listing what worked, what failed, and why. It's the companion protocol to MTA-STS (RFC 8461) and DANE (RFC 7672) — published by the same authors at the same time as MTA-STS in September 2018.

How do I set up TLS-RPT?

Publish a single DNS TXT record at _smtp._tls.example.com containing v=TLSRPTv1; rua=mailto:tls-reports@example.com (or rua=https://endpoint.example.com/tlsrpt for HTTPS POST delivery). Both transports are allowed. The dedicated mailbox or HTTPS endpoint must accept incoming reports; if mail bounces from the rua address or the HTTPS endpoint returns errors, sending MTAs may stop attempting reports after a few failed deliveries. Verify with dig +short TXT _smtp._tls.example.com and you're done — no other infrastructure required. Reports start arriving 24-48 hours after publication, with Google typically the first sender to deliver one. Most domains receive 5-15 reports per day depending on inbound mail volume.

What's the difference between TLS-RPT and DMARC reports?

Different layers, different directions, similar architecture. DMARC RUA reports flow from receivers to senders — they tell you who claimed to send as your domain and whether SPF/DKIM authenticated. TLS-RPT reports flow from senders to receivers (the opposite direction!) — they tell you whether senders successfully encrypted mail to your servers. DMARC verifies who sends; TLS-RPT verifies how mail is transported. Both use DNS TXT records with rua tags pointing to mailto: or https: endpoints, both produce daily JSON reports, both support multiple aggregation endpoints. They're complementary, not redundant — production deployments need both for full email security visibility.

Which sending MTAs actually send TLS-RPT reports?

Sender support is uneven. The largest TLS-RPT report sources by volume in 2026 are: Google/Gmail (#1, supported since April 2019), Microsoft 365 (#2), Comcast (#3), Mail.ru (#4), and Mimecast (#5). Most other major providers either don't send TLS-RPT reports or send them inconsistently. Importantly, Microsoft has a documented bug: it sends reports only to the first rua= endpoint listed in the DNS record, ignoring subsequent endpoints. If you list multiple rua= URIs hoping for redundancy, only the first one receives Microsoft's reports. Reports from other senders behave per RFC and may attempt all listed endpoints. The practical implication: put your most important rua= first in the comma-separated list.

What are the 11 TLS-RPT failure result-types?

RFC 8460 defines 11 failure types in 3 categories. Certificate failures: certificate-host-mismatch (cert hostname doesn't match MX), certificate-expired (cert past validity), certificate-not-trusted (cert chain not trusted by sender). STARTTLS failures: starttls-not-supported (MX doesn't advertise STARTTLS), validation-failure (general TLS handshake failure). Policy failures: sts-policy-fetch-error (couldn't retrieve MTA-STS policy), sts-policy-invalid (policy syntax invalid), sts-webpki-invalid (HTTPS cert at policy host invalid), tlsa-invalid (DANE TLSA record invalid), dnssec-invalid (DNSSEC validation failed for DANE), dane-required (DANE was expected but TLSA records missing). Each result-type has a specific operational fix; the report tells you exactly which condition occurred at which MX, with counts.

Can I send TLS-RPT reports to an HTTPS endpoint instead of email?

Yes. The rua= directive supports both mailto: and https: schemes. HTTPS delivery is preferred for high-volume domains because email-based reporting can suffer from the report itself being subject to TLS issues, gzip-decompression overhead in mail clients, and 10MB report-size limits at receiving mailservers. The HTTPS pattern: rua=https://reports.example.com/v1/tlsrpt — the sender POSTs the gzip-compressed JSON report to the URL with Content-Type application/tlsrpt+gzip. You can list multiple endpoints separated by commas: rua=mailto:tls-reports@example.com,https://reports.example.com/v1/tlsrpt. Most TLS-RPT analytics platforms (URIports, dmarcian, EasyDMARC) provide HTTPS ingestion endpoints.

How is the TLS-RPT JSON report structured?

Top-level fields: organization-name (sender's org name), date-range (start-datetime/end-datetime, 24h UTC), contact-info (sender's contact email), report-id (unique identifier, often timestamp_domain), and policies (array). Each policy entry has policy (with policy-type 'sts'/'tlsa'/'no-policy-found', policy-string array of policy lines, policy-domain), summary (total-successful-session-count, total-failure-session-count), and failure-details (array of result-type, sending-mta-ip, receiving-mx-hostname, failed-session-count, plus optional failure-reason-code and additional-information). Reports are typically gzip-compressed (.json.gz extension, application/tlsrpt+gzip media type). The compressed format keeps reports under the 10MB receiver limit common in mail systems.

What happens if my TLS-RPT mailbox bounces?

Sending MTAs that try to deliver TLS-RPT reports to a mailbox that bounces or rejects the message will eventually give up after several attempts. Once a sender has stopped attempting reports for your domain, they may not resume immediately even after the mailbox is fixed — you can lose visibility into TLS issues for days or weeks. Best practices: use a dedicated mailbox (tls-reports@yourdomain.com), not a personal address; configure the mailbox to accept large attachments (5-10MB compressed JSON files); ensure no auto-responder, no out-of-office, no spam filtering that might reject legitimate reports; monitor delivery to that mailbox separately. For high-volume domains, HTTPS endpoints are more reliable than mailto: because they don't depend on the very TLS infrastructure being monitored.

Need TLS-RPT collection and analysis without standing up infrastructure?

Cloud Server for Email's managed infrastructure includes hosted TLS-RPT for every client domain — HTTPS ingestion endpoint, automatic JSON parsing and normalization, weekly failure-pattern review across all client domains, cross-correlation with DMARC aggregate reports. No mailbox, no parsing scripts, no Microsoft rua-flaw workarounds.

Talk to engineering →