Why is my TLS-RPT not working?

TLS-RPT failures usually come from: 1) No TXT record on _smtp._tls.captaindns.com, 2) Missing or malformed rua tag, 3) Invalid mailto URI (whitespace, missing mailto:), 4) Multiple TLS-RPT records (only one allowed), 5) External rua without _report._tls authorization. Use this checker to pinpoint the exact cause.

What is the difference between the TLS-RPT Checker and the syntax validator?

The TLS-RPT Checker queries DNS to verify the record PUBLISHED on your domain. The syntax validator analyzes a record you paste BEFORE publishing. Recommended workflow: validator, then publish, then checker.

What does 'TLS-RPT record not found' mean?

No TXT record exists on _smtp._tls.captaindns.com. No TLS failure report will be emitted to your domain. Create a TXT record with at least v=TLSRPTv1; rua=mailto:tls-reports@captaindns.com.

Why does the checker find multiple TLS-RPT records?

RFC 8460 mandates ONE TLS-RPT record per domain. Multiple records are ignored by sending MTAs. Remove the duplicates immediately.

What does 'external rua requires authorization' mean?

If your rua points to another domain (e.g. tls-reports@uriports.com), that domain must publish captaindns.com._report._tls.uriports.com TXT v=TLSRPTv1. Without this authorization, reports are rejected. Convention inherited from RFC 7489 §7.1 (DMARC).

Mailto or https for TLS-RPT reports?

mailto: is simpler, reports arrive as email attachments. https: enables automation via webhook. Start with mailto: for visibility, add https: for integration with a monitoring tool. Both can coexist in the same record.

Should I deploy TLS-RPT with MTA-STS?

Yes. MTA-STS enforces encrypted TLS, TLS-RPT reports when enforcement fails. Without TLS-RPT, you will never know that an MTA-STS policy is silently blocking delivery.

What should I do with the JSON reports received via rua?

Receiving MTAs send daily reports as gzipped JSON. You can read them manually, or use third-party tools like Uriports or Postmark to process them automatically. See our [TLS-RPT reports analysis guide](/blog/tls-rpt-report-analysis-guide) for best practices.

How long until a TLS-RPT change is visible?

DNS propagation depends on the TTL. With a TTL of 3600 seconds (1h), allow 1 to 4h. With 86400 (24h), allow 24 to 48h. Lower the TTL before changes to speed up propagation.

Free TLS-RPT Checker - DNS Lookup and Validation

Why check your TLS-RPT

SMTP transport uses TLS opportunistically: if negotiation fails, the connection falls back to cleartext silently. Your emails go out in the clear and nobody warns you. Worse, a man-in-the-middle can actively strip STARTTLS to force that fallback.

TLS-RPT (RFC 8460) does not fix the encryption gap (MTA-STS does), but it finally gives you visibility. Every sending MTA that fails to establish TLS emits a JSON report to the rua address you publish. Without this mechanism, you are blind.

Verifying the configuration before forgetting about it in a corner of DNS is essential:

Missing record → you know nothing about TLS failures, no audit trail
Invalid rua URI → MTAs cannot deliver the reports, they get dropped
No external authorization → if you delegate to a third-party analyzer, its servers reject the reports

Common use cases:

After publishing → confirm the record is correctly propagated
Email security audit → validate TLS coverage and failure visibility
Before MTA-STS enforce → make sure TLS-RPT collects reports during the testing phase

How to use this checker in 3 steps

Step 1: enter the domain to analyze

Type the domain exactly as it appears in your email addresses:

captaindns.com (main domain)
marketing.captaindns.com (subdomain if you send from a subdomain)

The tool automatically queries _smtp._tls.domain, retrieves the published TXT record and resolves external authorization when needed.

Step 2: review the results

The checker displays:

Element	Description
TXT record	Raw content published on `_smtp._tls.domain`
Version	Must be exactly `TLSRPTv1`
rua URIs	Report destinations (mailto, https)
External authorization	Presence of `_report._tls.[third-party]` if rua points elsewhere
Unknown tags	Fields outside RFC 8460, flagged as info
MTA-STS consistency	Presence of an `_mta-sts.domain` companion

Step 3: fix the flagged issues

Results are graded by severity:

Critical → the record is invalid, no report will be sent
Warning → working but exposes risk or partial coverage
Info → non-blocking best practice (unknown tag, MTA-STS missing)

Fix the DNS, wait for propagation, then run the checker again.

What is TLS-RPT

TLS-RPT (SMTP TLS Reporting, RFC 8460) is a mechanism that:

Publishes a report address in DNS for the receiving domain
Asks sending MTAs to emit a JSON report when TLS fails
Provides a trail of encryption failures (expired certificate, downgrade, mismatch)

The architecture is deliberately minimal: a single TXT record published at _smtp._tls.domain, containing the version and one or more rua= URIs.

Example TLS-RPT record:

_smtp._tls.captaindns.com. IN TXT "v=TLSRPTv1; rua=mailto:tls-reports@captaindns.com"

This record tells sending MTAs (Gmail, Outlook, etc.) to send their TLS failure reports to tls-reports@captaindns.com.

Difference with MTA-STS: TLS-RPT is the companion of MTA-STS, not an alternative. MTA-STS enforces TLS encryption, TLS-RPT reports failures. The two protocols live at separate locations (_mta-sts.domain for STS, _smtp._tls.domain for RPT) and work together.

What the checker verifies

Five dimensions are analyzed in parallel to produce a 0-100 score:

Published DNS record

Check	Error if...
TXT present at `_smtp._tls.domain`	No record found
Starts with `v=TLSRPTv1`	Prefix missing or wrong case
Single record	Multiple TLS-RPT TXTs detected
No CNAME	`_smtp._tls` points to a CNAME (forbidden)

Record syntax

Check	Error if...
`v=` tag in first position	Version missing or not first
`rua=` tag present	No destination defined
Exact value `TLSRPTv1`	Variants like `TLSRPT1` or `tlsrptv1`

Reporting URIs

Check	Error if...
`mailto:` valid	Malformed email address, whitespace forbidden
`https:` valid	Missing scheme or malformed URL
At least one URI	Empty `rua` tag

rua quality

The rua URI domain matches the checked domain → no external authorization needed
The domain is different → verify the presence of [domain]._report._tls.[third-party] (cross-domain authorization)
The https URI answers with valid HTTPS (light probe server-side)

Overall hygiene

MTA-STS published in parallel (Hygiene bonus +2)
No unknown tag polluting the record
Policy consistent with the domain mail deployment

Common diagnostics and fixes

Missing record (missing_record)

Cause: no TXT exists at _smtp._tls.captaindns.com.

Fix: publish

_smtp._tls.captaindns.com. IN TXT "v=TLSRPTv1; rua=mailto:tls-reports@captaindns.com"

Missing rua tag (rua_missing)

Cause: the record contains v=TLSRPTv1 but no destination.

Fix: add at least one URI: v=TLSRPTv1; rua=mailto:tls-reports@captaindns.com. Without rua, no MTA will send a report.

Invalid rua URI (rua_invalid_uri)

Cause: the URI is malformed (missing mailto:, whitespace in the address, unknown scheme).

Fix examples:

- rua=tls-reports@captaindns.com         # Missing mailto:
+ rua=mailto:tls-reports@captaindns.com

- rua=mailto: tls-reports@captaindns.com # Whitespace after mailto: forbidden
+ rua=mailto:tls-reports@captaindns.com

Multiple records (multiple_records)

Cause: more than one TLS-RPT TXT exists at _smtp._tls.captaindns.com.

Fix: RFC 8460 §3 mandates a single record. Identify duplicates, keep the one to apply, remove the rest.

CNAME on _smtp._tls (cname_on_smtp_tls)

Cause: _smtp._tls.domain is a CNAME pointing elsewhere.

Fix: the RFC forbids CNAME at this location. Publish a direct TXT instead.

External authorization required (rua_unauthorized_external)

Cause: the rua address uses a domain different from the TLS-RPT domain.

Fix: the receiving domain (e.g. uriports.com) must publish:

captaindns.com._report._tls.uriports.com. IN TXT "v=TLSRPTv1"

This record authorizes report delivery for captaindns.com.

MTA-STS companion missing (mta_sts_companion_missing)

Cause: TLS-RPT is published but MTA-STS is not.

Fix: deploy MTA-STS to give TLS-RPT reports a purpose. See the MTA-STS Checker and the complete guide.

Cross-domain authorization and external rua

RFC 8460 inherits the DMARC convention (RFC 7489 §7.1): a domain cannot ask another domain to receive its reports without explicit consent.

The mechanism

Your domain: captaindns.com rua URI: mailto:tls-reports@uriports.com

The external domain uriports.com must publish:

captaindns.com._report._tls.uriports.com. IN TXT "v=TLSRPTv1"

Without this record, compliant sending MTAs refuse to forward reports to uriports.com (they protect third-party analyzers from redirection abuse).

Common pitfalls

Confusion with DMARC: DMARC uses _report._dmarc.[third-party], TLS-RPT uses _report._tls.[third-party]. Verify the correct prefix.
Multiple watched domains: a multi-tenant analyzer (Postmark, Uriports, Dmarcian, Valimail, Sendmarc) must publish one record per client domain (client1.com._report._tls.postmarkapp.com, client2.com._report._tls.postmarkapp.com, etc.).
No wildcard allowed: an explicit record per (watched domain, analyzer domain) pair is required.
The checker automatically flags external rua entries without published authorization.

TLS-RPT and MTA-STS: combined deployment

The two protocols form defense in depth:

Protocol	Role	Location
MTA-STS	Enforces TLS encryption (RFC 8461)	`_mta-sts.domain` + HTTPS policy
TLS-RPT	Reports failures (RFC 8460)	`_smtp._tls.domain`

Recommended deployment order

Publish TLS-RPT first to collect reports
Deploy MTA-STS in testing mode without blocking delivery
Observe for 2 to 4 weeks the TLS-RPT reports to identify problem MX hosts
Switch MTA-STS to enforce mode when reports are clean
Keep TLS-RPT indefinitely for continuous monitoring

Without MTA-STS: TLS-RPT reports failures but no policy compels sending MTAs to use TLS. You see the problems without being able to prevent them.

Without TLS-RPT: MTA-STS enforces TLS but you will never know that a legitimate MTA is blocked by your policy. Risk of silent non-delivery.

Complementary tools and resources

Tool	Purpose
TLS-RPT Syntax Validator	Validate a record syntax BEFORE publishing
TLS-RPT Generator	Create an RFC 8460 compliant record
MTA-STS Checker	Verify the matching MTA-STS deployment
MTA-STS Hosting	Host your policy for free with managed TLS
DMARC Checker	Complete email authentication with DMARC
DANE TLSA Checker	DNSSEC alternative for TLS security
TLS-RPT Report Analyzer	Decode received JSON reports
TLS-RPT Monitoring	Automatically receive and analyze your TLS-RPT reports

Resources: