--- title: "TLS-RPT Monitoring - Track Email Encryption Failures | DMARC Report" description: "Monitor TLS connection failures with TLS-RPT reporting. DMARC Report collects, parses, and visualizes TLS-RPT JSON reports so you know when email encryption fails." image: "https://dmarcreport.com/images/og-default.png" canonical: "https://dmarcreport.com/tls-rpt/" --- Encryption Monitoring # Know when email encryption fails TLS-RPT (RFC 8460) tells you when sending servers cannot establish encrypted connections to your domain. DMARC Report collects, parses, and visualizes these reports so nothing fails silently. [ Start Free Trial → ](https://app.dmarcreport.com/) [View Pricing](/pricing/) The Standard ## What is TLS-RPT? TLS-RPT (SMTP TLS Reporting) is defined in **RFC 8460**. It provides a mechanism for sending mail servers to report TLS connection failures back to the domain owner - similar to how DMARC aggregate reports work for authentication. Without TLS-RPT, you have no visibility into whether inbound email connections are actually encrypted. Certificates expire, configurations break, and you never find out until someone complains about missing email. - Reports are sent as machine-readable JSON by sending servers - Covers both STARTTLS negotiation failures and MTA-STS violations - Tells you which sending organizations are affected - Provides failure counts, types, and receiving MX details TLS-RPT JSON Report { "organization-name": "Google Inc.", "date-range": { "start": "...", "end": "..." }, "policies": \[{ "policy-type": "sts", "summary": { "total-successful": 14,238, "total-failure": 3 } }\] } app.dmarcreport.com / tls-rpt 99.7% TLS Success 12 Failures (24h) 8 Reporters Failure Breakdown Certificate errors 7 (58%) STARTTLS failures 3 (25%) MTA-STS violations 2 (17%) Top Failing Receivers mx3.legacy-provider.net 5 failures inbound.partner-co.com 4 failures mail.regional-isp.org 3 failures Dashboard ## Visual monitoring for TLS connection health Raw TLS-RPT JSON becomes a visual dashboard showing connection success rates, failure breakdowns by type, and which receiving servers are having problems - updated as reports arrive. 99.7% Avg. TLS success rate Daily Report ingestion Instant Failure alerts Full Historical trends Failure Detection ## Every type of TLS failure, classified TLS-RPT reports contain machine-readable failure codes. We parse them into human-readable categories so you can act on problems immediately. ### Certificate Expired or Invalid The receiving server presented a TLS certificate that is expired, self-signed, or does not match the MX hostname. Connections using this certificate may be rejected by strict senders. ### STARTTLS Not Supported The receiving server does not advertise STARTTLS support. Email from STARTTLS-requiring senders will not be delivered, and all connections fall back to plaintext. ### MTA-STS Policy Violation The connection failed to meet the requirements defined in your MTA-STS policy - wrong MX, missing TLS, or certificate mismatch. The sender refused to deliver. ### DNS Resolution Errors The sending server could not resolve your MX records or the MTA-STS policy domain. This usually indicates a DNS misconfiguration or propagation delay. ### Connection Timeout The TLS handshake started but did not complete within the expected time. Common with overloaded servers or network-level interference. ### Downgrade Attempt Detected A connection that previously succeeded with TLS is now failing - a potential indicator of an active man-in-the-middle stripping encryption from the SMTP session. Setup ## Three steps to start receiving TLS reports One DNS record is all it takes. Sending servers that support TLS-RPT will start delivering reports automatically. 1 Publish a TLS-RPT DNS record Add a TXT record at \_smtp.\_tls.yourdomain.com that points to DMARC Report. We generate the exact record for you. 2 Receiving servers send JSON reports When a sending server encounters a TLS issue delivering to your domain, it generates a JSON report and sends it to the address in your TLS-RPT record. 3 We parse, visualize, and alert DMARC Report ingests the raw JSON, extracts failure details, and presents everything in a visual dashboard with configurable alerts. DNS TXT Record Required DNS Record Host \_smtp.\_tls.yourdomain.com Type TXT Value v=TLSRPTv1; rua=mailto:tlsrpt@dmarcreport.com Replace yourdomain.com with your actual domain Defined In RFC 8460 SMTP TLS Reporting Enforcement ## MTA-STS enforces MTA-STS publishes a policy that tells sending servers to require TLS. If a connection cannot be encrypted, the sender refuses to deliver - preventing downgrade attacks and plaintext exposure. - Requires TLS for all inbound connections - Validates mail server certificates - Blocks delivery when encryption fails [Learn about MTA-STS hosting → ](/mta-sts-hosting/) Reporting ## TLS-RPT reports TLS-RPT tells you what happened when enforcement was tested. Did the connection succeed? Did TLS negotiation fail? Was the certificate valid? These reports are your feedback loop. - Reports on every TLS connection attempt - Categorizes failures by type and severity - Identifies which senders are affected Best paired with MTA-STS - enforce and report together. Availability ## Available on Shield and above TLS-RPT monitoring is included in the **Shield plan ($75/mo)** and all higher tiers. No per-domain charges for TLS-RPT ingestion. Also includes MTA-STS hosting, parked domain protection, and all core DMARC features. [ View Pricing → ](/pricing/) [Learn about MTA-STS hosting → ](/mta-sts-hosting/) ## Stop flying blind on email encryption Start your free trial - add one DNS record and start receiving TLS failure reports in minutes. [Start Free Trial](https://app.dmarcreport.com/) ## What Teams Say About Our Monitoring ![G2 Leader - DMARC](https://media.mailhop.org/dmarcreport/images/g2-badges/DMARC_Leader_Leader.png) Rated 4.8/5 on G2 · 469 verified reviews ![G2 Momentum Leader - DMARC](https://media.mailhop.org/dmarcreport/images/g2-badges/DMARC_MomentumLeader_Leader.png) ZK Zunaid K. Director 5/5 ### "Essential tool for email delivery" This tool helps us to implement DMARC reporting for our domains in an easy to use manner. 8/8/2024Verified on G2 VU Verified User in Information Technology and Services 5/5 ### "Best security tool for your own domains" The weekly reports help me a lot to analyze quickly the emails sent from my domains and that gives me peace of mind. 8/31/2022Verified on G2 LH Larry H. Research & Development Manager 5/5 ### "Good tool to buy" I have used many tools for monitoring DMARC reports. But DMARC Report is a good tool to use. It helps avoid sending emails to spam. 8/30/2022Verified on G2 [Read all 469 reviews on G2 →](https://www.g2.com/products/dmarc-report/reviews) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"WebPage","name":"TLS-RPT Monitoring - Track Email Encryption Failures | DMARC Report","description":"Monitor TLS connection failures with TLS-RPT reporting. DMARC Report collects, parses, and visualizes TLS-RPT JSON reports so you know when email encryption fails.","url":"https://dmarcreport.com/tls-rpt/","isPartOf":{"@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com"}}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Features","item":"https://dmarcreport.com/features/"},{"@type":"ListItem","position":3,"name":"TLS-RPT","item":"https://dmarcreport.com/tls-rpt/"}]} ```