How often are TLS-RPT reports sent?

Sending mail servers aggregate TLS connection data and send reports approximately every 24 hours. The report covers all connection attempts, successes, and failures from that sender to your domain during the reporting period.

How do I configure TLS-RPT for Microsoft 365 / Exchange Online?

Microsoft 365 and Exchange Online support TLS-RPT for outbound connections but don't automatically configure it for your domain. You need to: 1) Create a TLS-RPT record using our generator, 2) Publish it at _smtp._tls.yourdomain.com in your DNS, 3) Microsoft will then send TLS failure reports to your specified URI. Note that Microsoft enforces opportunistic TLS by default; combine TLS-RPT with MTA-STS for enforced encryption.

Free TLS-RPT Syntax Validator | SMTP TLS Reporting Checker

What is TLS-RPT and why validate syntax?

TLS-RPT (SMTP TLS Reporting) is defined in RFC 8460 and provides visibility into TLS encryption failures for your email domain. When mail servers fail to establish secure connections with your domain, TLS-RPT ensures you receive detailed reports.

Syntax validation matters because:

Invalid records are silently ignored by sending servers
You receive no reports if the syntax is wrong
Typos in reporting URIs mean lost failure data
RFC non-compliance causes unpredictable behavior

TLS-RPT record format explained

Basic structure

v=TLSRPTv1; rua=mailto:tlsrpt@captaindns.com

Component	Required	Description
`v=TLSRPTv1`	Yes	Version identifier, must be exactly "TLSRPTv1"
`rua=`	Yes	Reporting URI(s) for aggregate reports

Reporting URI formats

Email (mailto:)

rua=mailto:tlsrpt@captaindns.com

HTTPS webhook

rua=https://tlsrpt.captaindns.com/v1/report

Multiple URIs

rua=mailto:tlsrpt@captaindns.com,https://api.captaindns.com/tlsrpt

Common syntax errors

Missing version tag

# Wrong - missing v=TLSRPTv1
rua=mailto:tlsrpt@captaindns.com

# Correct
v=TLSRPTv1; rua=mailto:tlsrpt@captaindns.com

Invalid version string

# Wrong - incorrect version
v=TLSRPT1; rua=mailto:tlsrpt@captaindns.com

# Correct
v=TLSRPTv1; rua=mailto:tlsrpt@captaindns.com

Malformed URI

# Wrong - missing mailto: scheme
v=TLSRPTv1; rua=tlsrpt@captaindns.com

# Correct
v=TLSRPTv1; rua=mailto:tlsrpt@captaindns.com

Invalid email in mailto URI

# Wrong - invalid email format
v=TLSRPTv1; rua=mailto:tlsrpt@

# Correct
v=TLSRPTv1; rua=mailto:tlsrpt@captaindns.com

Setting up TLS-RPT

Step 1: Choose reporting destination

Decide where to receive reports:

Email address: Simple setup, manual review
HTTPS endpoint: Automated processing, requires development
Third-party service: Managed solution with dashboards

Step 2: Generate the record

Use our TLS-RPT Generator to create a properly formatted record.

Step 3: Validate syntax

Paste the generated record into this validator before publishing. Fix any errors reported.

Step 4: Publish to DNS

Add a TXT record at _smtp._tls.captaindns.com with your validated record value.

Step 5: Verify publication

Use our TLS-RPT Record Checker to confirm the record is live and correctly configured.

TLS-RPT and MTA-STS integration

TLS-RPT is designed to work with MTA-STS (Mail Transfer Agent Strict Transport Security). Together they provide:

Protocol	Purpose
MTA-STS	Enforces TLS encryption for incoming mail
TLS-RPT	Reports on TLS connection failures

Recommended setup:

Deploy MTA-STS with mode: testing first
Configure TLS-RPT to receive failure reports
Monitor reports for issues
Switch MTA-STS to mode: enforce when ready

FAQ - Frequently asked questions

Q: What is a TLS-RPT record?

A: A TLS-RPT (SMTP TLS Reporting) record is a DNS TXT record that tells mail servers where to send reports about TLS connection failures. Defined in RFC 8460, it works alongside MTA-STS to help you monitor email encryption issues. The record specifies one or more reporting URIs that receive daily aggregate reports.

Q: What is the correct TLS-RPT syntax?

A: A valid TLS-RPT record starts with v=TLSRPTv1; followed by rua= and one or more reporting URIs. Example: v=TLSRPTv1; rua=mailto:tlsrpt@captaindns.com. You can specify multiple URIs separated by commas. Each URI must use mailto: or https: scheme.

Q: What errors does this tool detect?

A: The validator catches: missing or incorrect version tag (must be TLSRPTv1), invalid reporting URIs, malformed email addresses in mailto: URIs, missing rua= tag, syntax errors in the record format, and unknown tags that may cause issues.

Q: Can I use multiple reporting addresses?

A: Yes, TLS-RPT supports multiple reporting URIs. Separate them with commas in the rua= tag. Example: v=TLSRPTv1; rua=mailto:reports@captaindns.com,https://tlsrpt.captaindns.com/report. Each URI receives the same aggregate reports.

Q: What's the difference between mailto and https URIs?

A: mailto: URIs send reports as gzip-compressed email attachments. https: URIs POST reports to a webhook endpoint. Email is simpler to set up, while HTTPS allows automated processing. Most organizations start with mailto: and add HTTPS later.

Q: Do I need TLS-RPT if I have MTA-STS?

A: TLS-RPT is strongly recommended with MTA-STS. MTA-STS enforces TLS encryption, while TLS-RPT tells you when enforcement fails. Without TLS-RPT, you won't know if mail servers are failing to connect securely. Both records work together for complete visibility.

Complementary tools

Tool	Purpose
TLS-RPT Record Checker	Validate live DNS record configuration
TLS-RPT Generator	Create RFC 8460 compliant records
MTA-STS Record Checker	Verify MTA-STS policy deployment
MTA-STS Generator	Create MTA-STS policy and DNS records
Email Domain Check	Complete email authentication audit

Useful resources

RFC 8460 - SMTP TLS Reporting (official specification)
RFC 8461 - MTA-STS (companion protocol)
Google Postmaster - TLS Reporting (implementation guide)

TLS-RPT Syntax Checker

Validate SMTP TLS Reporting records before DNS publication

RFC 8460 Compliance

Reporting URI Validation

Instant Feedback

Detailed Error Messages

MTA-STS Companion