Simple Mail Transfer Protocol (
SMTP) Transport Layer Security (
TLS) reports let you monitor delivery of your sent/outbound email to a receiving domain. They provide feedback and data regarding how many of your messages were delivered using TLS successfully (or failed to). This data is critical if you you identify and fix any issues during a message's pathway, which can help improve your email delivery rates. When properly configured, recipient domains will send you encrypted TLS reports, allowing you to proactively pinpoint and address delivery problems.
SMTP TLS Reporting (TLS-RPT) also allows senders to share information about security issues when connecting to incoming email systems. By typically working in tandem with the MTA-STS standard, TLS-RPT reports provide the following information in JSON format:
- Potential pathway attacks
- MTA-STS policy handling issues
- Possible causes of delivery failures
- Unresponsive servers and unsuccessful connections
- Expired certificates and certificates not validated by certification authorities
- Deployment of the latest SMTP transport security protocols
TLS-RPT reports help both recipients and senders diagnose malicious configurations and detect potential attacks. By utilizing TLS-RPT, you stay informed about any TLS-related delivery issues and can resolve them quickly.
How to Set Up SMTP TLS-RPT Reports
To enable SMPT TLS Reporting, you need to add a proper DNS record. The record should include the following:
- v: Set to TLSRPTv1
- rua: Contains the location to send reports to
We provide more details about setting up SMTP TLS reports here.
Below are different examples of SMTP TLS report options:
Example 1: Email Report Configuration
If you want to receive reports via email, set up the TXT record like this:
_smtp._tls.example.com IN TXT "v=TLSRPTv1; rua=mailto:tlsrpt@example.com"
In this example, all TLS reports will be sent to tlsrpt@example.com. Make sure that this mailbox is monitored and capable of handling large volumes of reports if needed.
Example 2: HTTPS Report Configuration
To receive reports via HTTPS, you can use a reporting endpoint like this:
_smtp._tls.example.com IN TXT "v=TLSRPTv1; rua=https://reporting.example.com/tlsrpt"
This configuration will send reports to the specified HTTPS endpoint. Ensure that your server is properly set up to accept and process POST requests containing JSON-formatted reports.
Example 3: Multiple Reporting URIs
You can specify multiple reporting URIs to receive reports at different destinations:
_smtp._tls.example.com IN TXT "v=TLSRPTv1; rua=mailto:tlsrpt@example.com, https://reporting.example.com/tlsrpt"
In this example, reports will be sent to both the email address and the HTTPS endpoint. This can be useful for redundancy or for different teams to access the reports.
For a technical breakdown of SMTP TLS Reporting, refer to RFC 8460.