How many reporting URIs can I include?

There's no hard limit, but practical considerations apply. Each URI receives the same report, increasing traffic. Most deployments use 1-3 destinations: one internal email, optionally one HTTPS endpoint, and optionally one third-party analyzer service.

How do I configure TLS-RPT for Microsoft 365 / Exchange Online?

For Microsoft 365 domains, generate your TLS-RPT record here, then add it as a TXT record at _smtp._tls.yourdomain.com through your external DNS provider (not Microsoft 365 admin). Microsoft 365 and Exchange Online will honor TLS-RPT policies and send failure reports when connecting to domains with MTA-STS. For M365-hosted domains, publish the DNS record where your domain's nameservers are configured.

Free TLS-RPT Generator | Create SMTP TLS Reporting Records

How to use this TLS-RPT generator

Step 1: Add reporting destinations

Enter where you want to receive TLS failure reports:

Email (recommended for starting)

mailto:tlsrpt@captaindns.com

HTTPS webhook (for automation)

https://tlsrpt.captaindns.com/v1/report

You can add multiple destinations - reports go to all of them.

Step 2: Copy the generated record

The generator creates a valid RFC 8460 record:

v=TLSRPTv1; rua=mailto:tlsrpt@captaindns.com

Step 3: Publish to DNS

Create a TXT record at _smtp._tls.captaindns.com with the generated value.

Example for captaindns.com:

Type: TXT
Host: _smtp._tls
Value: v=TLSRPTv1; rua=mailto:tlsrpt@captaindns.com

Step 4: Verify publication

Use our TLS-RPT Record Checker to confirm correct configuration.

TLS-RPT record format

Required components

Component	Format	Example
Version	`v=TLSRPTv1`	Must be exactly this
Reporting URI	`rua=scheme:destination`	`rua=mailto:reports@captaindns.com`

URI schemes supported

mailto: - Email delivery

rua=mailto:security-team@captaindns.com

Reports arrive as compressed JSON attachments.

https: - Webhook delivery

rua=https://api.captaindns.com/tlsrpt/ingest

Reports POSTed as JSON with Content-Type: application/tlsrpt+gzip

Multiple destinations

Separate with commas:

v=TLSRPTv1; rua=mailto:reports@captaindns.com,https://tlsrpt.captaindns.com/report

External reporting authorization

When reporting to a different domain, authorization is required.

Scenario

Your domain: captaindns.com Report destination: mailto:reports@tlsrpt-service.com

Required authorization

tlsrpt-service.com must publish:

captaindns.com._report._tls.tlsrpt-service.com  TXT  "v=TLSRPTv1"

Using same-domain reporting

To avoid authorization complexity, use an address on your own domain:

v=TLSRPTv1; rua=mailto:tlsrpt@captaindns.com

DNS provider examples

Cloudflare

Go to DNS settings for your domain
Add record:
- Type: TXT
- Name: _smtp._tls
- Content: Your generated record value
- TTL: Auto

AWS Route 53

Open hosted zone for your domain
Create record:
- Record name: _smtp._tls
- Record type: TXT
- Value: "v=TLSRPTv1; rua=mailto:tlsrpt@captaindns.com"
- TTL: 3600

OVH / Google Domains

Go to DNS settings
Add custom record:
- Host name: _smtp._tls
- Type: TXT
- TTL: 3600
- Data: Your generated record value

Complete email security setup

TLS-RPT is part of comprehensive email transport security:

1. MTA-STS (Enforce TLS)

Tells sending servers to require TLS encryption.

2. TLS-RPT (Report failures)

Reports when TLS enforcement fails.

Use this generator
Check TLS-RPT status

3. Recommended deployment

Deploy MTA-STS with mode: testing
Add TLS-RPT to receive reports
Monitor reports for 2-4 weeks
Switch MTA-STS to mode: enforce
Continue monitoring via TLS-RPT

Understanding TLS-RPT reports

Report structure

{
  "organization-name": "Google Inc.",
  "date-range": {
    "start-datetime": "2024-01-15T00:00:00Z",
    "end-datetime": "2024-01-16T00:00:00Z"
  },
  "contact-info": "postmaster@google.com",
  "report-id": "2024011512345",
  "policies": [{
    "policy": {
      "policy-type": "sts",
      "policy-string": ["version: STSv1", "mode: enforce", "mx: mail.captaindns.com", "max_age: 604800"],
      "policy-domain": "captaindns.com"
    },
    "summary": {
      "total-successful-session-count": 8432,
      "total-failure-session-count": 3
    },
    "failure-details": [{
      "result-type": "certificate-expired",
      "sending-mta-ip": "198.51.100.1",
      "receiving-mx-hostname": "mail.captaindns.com",
      "failed-session-count": 3
    }]
  }]
}

Key fields explained

Field	Meaning
organization-name	Sending organization
date-range	24-hour reporting period
total-successful-session-count	TLS connections that worked
total-failure-session-count	TLS connections that failed
result-type	Failure reason (certificate-expired, sts-policy-invalid, etc.)
sending-mta-ip	IP that failed to connect

FAQ - Frequently asked questions

Q: What is TLS-RPT and why do I need it?

A: TLS-RPT (SMTP TLS Reporting) is a DNS record that tells sending mail servers where to report TLS connection failures. When servers can't establish a secure connection to your domain, TLS-RPT ensures you receive detailed reports. Without it, you have no visibility into encryption failures affecting email delivery.

Q: Where do I publish the generated record?

A: Publish the generated record as a TXT record at _smtp._tls.captaindns.com. This works with any DNS provider including Cloudflare, Route53, GoDaddy, OVH, etc.

Q: Can I use an external email for reporting?

A: Yes, but the external domain must authorize it. If you report to reports@analyzer.com for captaindns.com, the analyzer domain must publish a TXT record at captaindns.com._report._tls.analyzer.com with value v=TLSRPTv1. Or use an address on your own domain to avoid this complexity.

Q: Should I use mailto or https for reporting?

A: mailto: is simpler - reports arrive as compressed email attachments. https: enables automation via webhooks. Start with mailto: for visibility, add https: for monitoring tool integration. You can use both simultaneously.

Q: What format are the reports in?

A: TLS-RPT reports are JSON documents, typically gzip-compressed. They include: reporting organization, date range, policy information (MTA-STS/DANE), session counts (success/failure), and failure details. Reports are sent approximately every 24 hours.

Q: Do I need MTA-STS to use TLS-RPT?

A: While TLS-RPT can work standalone, it's most useful with MTA-STS. MTA-STS enforces TLS encryption, TLS-RPT reports on enforcement. We recommend deploying MTA-STS in testing mode, adding TLS-RPT, monitoring, then enforcing.

Complementary tools

Tool	Purpose
TLS-RPT Syntax Checker	Validate record before publishing
TLS-RPT Record Checker	Verify live DNS configuration
MTA-STS Generator	Create MTA-STS policy
MTA-STS Record Checker	Verify MTA-STS deployment
Email Domain Check	Complete authentication audit

Useful resources

RFC 8460 - SMTP TLS Reporting (official specification)
RFC 8461 - MTA-STS (companion protocol)
Google - Configure TLS reporting
Postfix - TLS documentation

TLS-RPT Record Generator

Create SMTP TLS Reporting records for DNS publication

RFC 8460 Compliant

Multiple Reporting URIs

Copy-Paste Ready

Real-time Validation

MTA-STS Integration Guide