Logo
Free TLS-RPT Checker Tool

TLS-RPT Checker

Enter any domain to check its TLS-RPT configuration. We validate the DNS record, inspect report destinations, and confirm that sending servers know where to send encrypted delivery failure reports.

What Your Results Mean

Understanding Your TLS-RPT Check

Here's what each result means and what to do next.

TLS-RPT Pass

Your TLS reporting is properly configured

A passing result means your TLS-RPT record is published correctly and sending servers know where to deliver TLS failure reports. To get the most value from TLS-RPT, make sure MTA-STS is also configured. Without MTA-STS, most senders will not generate reports because they silently fall back to plaintext instead of enforcing TLS.

  • Valid TLS-RPT record found
  • Report destination is configured
  • Record syntax is correct
  • Report URI is reachable
Check Your MTA-STSRun a Full Audit
Common TLS-RPT Issues

Common TLS-RPT Problems and How to Fix Them

These are the TLS-RPT problems we see most often. If your check flagged any of these, here's what they mean and how to fix them.

No TLS-RPT Record Found

No visibility into encrypted delivery

Without a TLS-RPT record, sending servers that encounter TLS connection problems with your mail servers have nowhere to report them. You will not know when encrypted delivery fails, when certificates expire, or when configuration changes break TLS. Publishing a record is straightforward: add a TXT record at _smtp._tls.yourdomain.com with your version and reporting URI.

No TXT record at _smtp._tls.yourdomain.comSending servers have nowhere to report TLS failuresFix: publish a TLS-RPT TXT record with your report destination
How to set up TLS-RPT (Coming Soon)

TLS-RPT Without MTA-STS

Reports without enforcement

TLS-RPT tells senders where to send reports, but most senders only generate reports when a policy (MTA-STS or DANE) requires encrypted delivery. Without MTA-STS, a sender that encounters a TLS error will silently fall back to plaintext and deliver the email unencrypted. No failure means no report. To get meaningful TLS-RPT data, you need MTA-STS telling senders that TLS is required.

Without MTA-STS, most senders silently fall back to plaintextSenders only report failures when a policy requires TLSFix: configure MTA-STS to enforce encrypted delivery
Check your MTA-STS

Unreachable Report Destination

Reports sent but never received

Your TLS-RPT record points to a report destination, but that destination may not be receiving reports. This happens when the email address has a full mailbox, the HTTPS endpoint returns errors, or the domain in the mailto: address has its own delivery issues. The result is the same: senders generate reports but you never see them. Check that your report destination is active and capable of receiving JSON-formatted TLS reports.

The mailto: or https: destination is not accepting reportsReports are being generated but you are not receiving themFix: verify the destination mailbox or endpoint is active
How to configure report destinations (Coming Soon)

Record Syntax Errors

Small errors break the whole record

TLS-RPT records have a simple format, but even small syntax errors can make them unparseable. The record must start with v=TLSRPTv1 and include at least one rua= directive with a valid mailto: or https: URI. Common mistakes include missing semicolons, spaces in the wrong places, or using rua without the required URI scheme prefix. Most DNS providers also have character limits for TXT records, which can truncate long URIs.

Missing version tag (v=TLSRPTv1)Malformed rua= URI (must be mailto: or https:)Fix: verify record matches the v=TLSRPTv1; rua=mailto:... format
TLS-RPT record format (Coming Soon)
Why It Matters

Why TLS-RPT Matters for Your Business

TLS-RPT is the reporting layer for encrypted email delivery. Without it, TLS failures are invisible and you have no way to verify that your encrypted connections are working.

Encrypted Delivery Fails Silently

When a sending server cannot establish a TLS connection with your mail servers, the failure is invisible to you. Without TLS-RPT, you have no way to know that emails are being delivered in plaintext or not delivered at all. TLS-RPT gives you the reports you need to catch these failures.

Certificate Problems Go Undetected

Expired, misconfigured, or mismatched TLS certificates on your mail servers break encrypted delivery. Without TLS-RPT, you only discover certificate problems when someone reports a missing email or a security audit flags the issue. TLS reports surface these problems the day they happen.

MTA-STS Becomes Guesswork Without It

If you have MTA-STS configured, TLS-RPT is essential for knowing whether it is working. Without TLS reports, you cannot see how many connections are succeeding, how many are failing, or why. You are enforcing a policy with no visibility into its effects.

Compliance Requires Visibility

Security frameworks and compliance audits increasingly expect organizations to demonstrate encrypted email delivery. TLS-RPT provides the evidence: daily reports from major senders showing that your TLS connections are working and that failures are being tracked.
See How iO DMARC Helps
Complete Protocol Coverage

Check Your Full Email Authentication with iO™ DMARC

SPF is one piece of the puzzle. Use these tools to check the rest of your email authentication stack.

SPF

SPF Checker

Validate your SPF record and confirm which servers are authorized to send on your behalf. SPF handles sender authorization, TLS-RPT monitors the secure delivery path.

Check SPF
DKIM

DKIM Checker

Verify your DKIM signature to make sure outgoing emails are cryptographically signed. DKIM ensures content integrity, TLS-RPT ensures connection security is reported.

Check DKIM
DMARC

DMARC Checker

Check your DMARC policy and alignment. DMARC aggregate reports cover authentication, TLS-RPT covers encryption. Together they give you full visibility.

Check DMARC
BIMI

BIMI Checker

See if your domain qualifies to display your brand logo in supported inboxes. BIMI is the visible payoff of a fully authenticated, securely delivered email stack.

Check BIMI
MTA-STS

MTA-STS Checker

Check whether your domain enforces encrypted email delivery. MTA-STS is the enforcement policy, TLS-RPT is the reporting layer that tells you when it fails.

Check MTA-STS
Email Audit

Email Authentication Audit

Get a complete picture of your SPF, DKIM, DMARC, BIMI, and MTA-STS configuration in one report. See what’s working, what’s broken, and what to fix first.

Run Free Audit

Ready to secure your email domain?

TLS-RPT shows you where delivery security breaks. iO™ DMARC monitors that and every other layer for you.

Get Started with iO™ DMARCSchedule a Demo
Learn More

Learn About TLS-RPT

Want to go deeper? These guides explain what TLS-RPT reports contain, how to act on them, and why MTA-STS is essential for generating useful data.

Understanding TLS-RPT Reports

What the JSON reports contain, how to interpret failure codes like certificate errors and handshake failures, and what action to take when you see them.
Read the guide (Coming Soon)

Why TLS-RPT Needs MTA-STS

TLS-RPT only generates useful data when a policy requires encrypted delivery. Without MTA-STS, senders fall back to plaintext silently and never send a report. Check whether your MTA-STS is in place.
Check your MTA-STS

Managed TLS Reporting

Don't want to parse raw JSON reports yourself? iO DMARC collects your TLS-RPT data, translates it into readable dashboards, and alerts you when encrypted delivery fails.
Learn more
See How We Can Help

Ready to Monitor Your Encrypted Email Delivery?

Found issues with your TLS-RPT configuration? Or just want someone to turn raw JSON reports into actionable alerts? Let's talk.

Want Eyes on Every Encrypted Connection?

iO™ DMARC configures TLS-RPT on your domain, parses the incoming reports, and surfaces the TLS handshake failures hiding in your mail stream, so broken encryption does not quietly cost you mail.

See iO™ DMARC in Action
Certificate expiry and TLS failure alerts
Daily report aggregation from Google, Microsoft, and Yahoo
Plaintext fallback detection
MTA-STS setup and policy hosting included