Encryption Monitoring

Know when email
encryption fails

TLS-RPT (RFC 8460) tells you when sending servers cannot establish encrypted connections to your domain. DMARC Report collects, parses, and visualizes these reports so nothing fails silently.

Start Free Trial → View Pricing

The Standard

What is TLS-RPT?

TLS-RPT (SMTP TLS Reporting) is defined in RFC 8460. It provides a mechanism for sending mail servers to report TLS connection failures back to the domain owner — similar to how DMARC aggregate reports work for authentication.

Without TLS-RPT, you have no visibility into whether inbound email connections are actually encrypted. Certificates expire, configurations break, and you never find out until someone complains about missing email.

Reports are sent as machine-readable JSON by sending servers
Covers both STARTTLS negotiation failures and MTA-STS violations
Tells you which sending organizations are affected
Provides failure counts, types, and receiving MX details

TLS-RPT JSON Report

{

"organization-name": "Google Inc.",

"date-range": { "start": "...", "end": "..." },

"policies": [{

"policy-type": "sts",

"summary": {

"total-successful": 14,238,

"total-failure": 3

}

}]

}

app.dmarcreport.com / tls-rpt

99.7%

TLS Success

Failures (24h)

Reporters

Failure Breakdown

Certificate errors 7 (58%)

STARTTLS failures 3 (25%)

MTA-STS violations 2 (17%)

Top Failing Receivers

mx3.legacy-provider.net 5 failures

inbound.partner-co.com 4 failures

mail.regional-isp.org 3 failures

Dashboard

Visual monitoring for
TLS connection health

Raw TLS-RPT JSON becomes a visual dashboard showing connection success rates, failure breakdowns by type, and which receiving servers are having problems — updated as reports arrive.

99.7%

Avg. TLS success rate

Daily

Report ingestion

Instant

Failure alerts

Full

Historical trends

Failure Detection

Every type of TLS failure, classified

TLS-RPT reports contain machine-readable failure codes. We parse them into human-readable categories so you can act on problems immediately.

Certificate Expired or Invalid

The receiving server presented a TLS certificate that is expired, self-signed, or does not match the MX hostname. Connections using this certificate may be rejected by strict senders.

STARTTLS Not Supported

The receiving server does not advertise STARTTLS support. Email from STARTTLS-requiring senders will not be delivered, and all connections fall back to plaintext.

MTA-STS Policy Violation

The connection failed to meet the requirements defined in your MTA-STS policy — wrong MX, missing TLS, or certificate mismatch. The sender refused to deliver.

DNS Resolution Errors

The sending server could not resolve your MX records or the MTA-STS policy domain. This usually indicates a DNS misconfiguration or propagation delay.

Connection Timeout

The TLS handshake started but did not complete within the expected time. Common with overloaded servers or network-level interference.

Downgrade Attempt Detected

A connection that previously succeeded with TLS is now failing — a potential indicator of an active man-in-the-middle stripping encryption from the SMTP session.

Setup

Three steps to start
receiving TLS reports

One DNS record is all it takes. Sending servers that support TLS-RPT will start delivering reports automatically.

Publish a TLS-RPT DNS record

Add a TXT record at _smtp._tls.yourdomain.com that points to DMARC Report. We generate the exact record for you.

Receiving servers send JSON reports

When a sending server encounters a TLS issue delivering to your domain, it generates a JSON report and sends it to the address in your TLS-RPT record.

We parse, visualize, and alert

DMARC Report ingests the raw JSON, extracts failure details, and presents everything in a visual dashboard with configurable alerts.

DNS TXT Record

Required DNS Record

Host

_smtp._tls.yourdomain.com

Type

TXT

Value

v=TLSRPTv1; rua=mailto:tlsrpt@dmarcreport.com

Replace yourdomain.com with your actual domain

Defined In

RFC 8460

SMTP TLS Reporting

Enforcement

MTA-STS enforces

MTA-STS publishes a policy that tells sending servers to require TLS. If a connection cannot be encrypted, the sender refuses to deliver — preventing downgrade attacks and plaintext exposure.

Requires TLS for all inbound connections
Validates mail server certificates
Blocks delivery when encryption fails

Learn about MTA-STS hosting →

Reporting

TLS-RPT reports

TLS-RPT tells you what happened when enforcement was tested. Did the connection succeed? Did TLS negotiation fail? Was the certificate valid? These reports are your feedback loop.

Reports on every TLS connection attempt
Categorizes failures by type and severity
Identifies which senders are affected

Best paired with MTA-STS — enforce and report together.

Availability

Available on Shield and above

TLS-RPT monitoring is included in the Shield plan ($75/mo) and all higher tiers. No per-domain charges for TLS-RPT ingestion.

Also includes MTA-STS hosting, parked domain protection, and all core DMARC features.

View Pricing → Learn about MTA-STS hosting →

Stop flying blind on email encryption

Start your free trial — add one DNS record and start receiving TLS failure reports in minutes.

Start Free Trial

What Teams Say About Our Monitoring

Rated 4.8/5 on G2 · 469 verified reviews

Zunaid K.

Director

5/5

"Essential tool for email delivery"

This tool helps us to implement DMARC reporting for our domains in an easy to use manner.

8/8/2024 Verified on G2

Verified User in Information Technology and Services

5/5

"Best security tool for your own domains"

The weekly reports help me a lot to analyze quickly the emails sent from my domains and that gives me peace of mind.

8/31/2022 Verified on G2

Larry H.

Research & Development Manager

5/5

"Good tool to buy"

I have used many tools for monitoring DMARC reports. But DMARC Report is a good tool to use. It helps avoid sending emails to spam.

8/30/2022 Verified on G2

Read all 469 reviews on G2 →

Know when email encryption fails