---
title: "What is TLS-RPT: Understanding The Reporting Mechanism Which Helps Ensure Encrypted Email Delivery | DuoCircle"
description: "Join the thousands of organizations that use DuoCircle Find out how affordable it is for your organization today and be pleasantly surprised.Interested in"
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/resources/what-is-tls-rpt/"
---

Resource 

#  What is TLS-RPT: Understanding The Reporting Mechanism Which Helps Ensure Encrypted Email Delivery 

 Join the thousands of organizations that use DuoCircle Find out how affordable it is for your organization today and be pleasantly surprised.Interested in 

[ Talk to an Expert → ](/contact/) [ See what we make ](/products/) 

## What is TLS-RPT: Understanding The Reporting Mechanism Which Helps Ensure Encrypted Email Delivery

TLS-RPT enables the email sending applications to report the TLS connectivity problems experienced by them.

[Get DMARC Monitoring](/email/dmarc)

###### [EMAIL SECURITY SERVICES](/)

###### [PLANS AND PRICING](/email/dmarc#pricingarea)

###### [DMARC MONITORING](/email/dmarc)

_SMTP TLS Reporting is a reporting standard that ensures secure email delivery_. An SMTP TLS report contains the sender’s perspective covering the following aspects:

- The SMTP TLS negotiation (STARTTLS)
- DNS zone signing (DANE and DNSSEC)
- MTA-STS policy

The value and usability of SMTP TLS-RPT enhance when used in combination with the [MTA-STS](https://www.uriports.com/blog/mta-sts-explained/), as the enforced mode of MTA-STS makes the **email undeliverable** if there are issues with the TLS.

![dmarc records](https://media.mailhop.org/duocircle/images/2021/01/dmarc-wizard.png) 

### The Origin of SMTP TLS

The SMTP email protocol did not support encryption during the transport of email, back when it was introduced in the early ’80s. The **TLS encryption** was added later, which was also known as the RFC3207 standard. Later, _SMTP TLS was implemented in the form of the STARTTLS SMTP command_.

### The Need For SMTP TLS-RPT

The MTA-STS was introduced in the RFC8461, and organizations that choose to implement it can ensure that the emails do not get delivered and are returned to the sender if TLS fails. The SMTP TLS reports notify the domain owner if there are TLS issues during the mail delivery. Other advantages of TLS-RPT include

- It provides mandatory [TLS encryption](https://www.csoonline.com/article/3246212/what-is-ssl-tls-and-how-this-encryption-protocol-works.html), while MTA-STS protects the domain owner against SMTP downgrade.
- Users receive timely feedback reports, and the user is notified if a message fails to deliver.
- _Provides complete visibility of the email channels_: The domain owners are aware of each activity on their domain.
- It eliminates the delivery issues: The users can quickly identify the problem’s source and implement measures to fix it at the earliest.

### How Does TLS-RPT Work?

- TLS reports are used for supporting the MTA-STS protocol, which _ensures the encryption of emails before delivering them_. The [Mail Transfer Agent](https://en.wikipedia.org/wiki/Message%5Ftransfer%5Fagent) (MTA) starts negotiating with the receiving mail server to ascertain if it is supporting the **STARTTLS command**. In case the receiving server supports it, _the sender MTA encrypts the email with TLS and delivers it to the receiving MTA_.
- The negotiation between the sending and receiving MTA is a crucial milestone in the journey of an email. _Malicious actors try to take advantage of this situation by downgrading the SMTP, which blocks the negotiations_. At this moment, the sending server starts thinking that the receiving MTA doesn’t support the STARTTLS command. Hence, it sends the **email without encrypting** it with TLS, leaving the contents vulnerable for the attackers to see.
- It becomes mandatory for organizations that implement MTA-STS on their domain to encrypt the messages before delivering them. In case there is an attempt to downgrade the SMTP, the email will not get forwarded. Thus, an enterprise with MTA-STS ensures that there is TLS encryption on all their outgoing emails, a critical element in safeguarding communications and enhancing [third-party risk management](https://sprinto.com/blog/third-party-risk-management/), since many emails involve vendors, partners, and external service providers.
- _TLS-RPT protocol notifies the domain owner whenever the sent emails from their domain face deliverability issues_. In case there is a failure of email delivery because of an SMTP downgrade, the domain owner gets a report, which is in a JSON file format, and contains all the details of the failed emails. It ensures user privacy because these reports **do not provide details** about the contents of the email.

### How to Enable SMTP TLS reporting?

- Users need to add a DNS record of the TXT type into the subdomain \_smtp.\_tls.\[domain\] if they want to enable TLS-RPT. For example, \_smtp.\_tls.sampledomain.com.
- The MTA supporting [SMTP TLS reporting](https://www.hardenize.com/blog/smtp-tls-reporting-tls-rpt) will check if this DNS record exists before sending the email to the receiver’s domain. If the DNS record exists, it will send periodic reports to the domain owner about whether the email was delivered successfully, or if there was a failure to deliver it.
- A typical SMTP TLS-RPT DNS record will look like this:

`v=TLSRPTv1; rua=mailto:tlsrpt@in.sampledomain.com`

(Please note the similarity of the syntax with the [DMARC record](/email/dmarc).)

- The TLS-RPT record is a key-value string and separates the key and values with an equal (=) character. Additionally, it separates the key-value pairs with a semicolon and ignores any whitespaces. The two derivatives are:  
   - “v”- It is the version indicator, and it is the primary key-value pair within the record.  
   - 2\. “rua”- It defines the address to which the reports need to be delivered. It allows multiple values, separated by a comma.
- The “rua” value specifies the used scheme, which can either be https: or mailto: for TLS-RPT. The https: scheme will require an HTTPS-enabled server possessing a valid certificate for the domain. The mailto: scheme resembles the one used in DMARC and specifies the address which will receive the reports.
- There can be multiple delivery endpoints in the rua value, separated by a comma. A user can choose to use both delivery schemes together. Example of a combined rua scheme:

`v=TLSRPTv1; rua=mailto:tlsrpt@in.sampledomain1.com,https://tlsrpt.sampledomain2.com/v1`

[![dmarc records](https://www.duocircle.com/wp-content/uploads/2021/01/dmarc-tls-rpt.jpg)](/wp-content/uploads/2021/01/dmarc-tls-rpt.jpg)

### What Is The Format Of The TLS Report?

The domain owner receives the SMTP TLS reports in the JSON format, and it contains the following information:

- Each report has a unique identifier.
- It contains the date range of the collection of results.
- Name and contact information of the reporting party.
- Various policy results which contain detail of the supported policies, including:  
   - SMTP TLS negotiation (STARTTLS)  
   - DNS zone signing (DNSSEC, DANE)  
   - MTA-STS policy
- While some reports may only contain errors, others may include successful sessions.
- Domain owners may receive multiple reports in a day, which depends on the number of email services that attempted to deliver email and the email traffic volume.
- An aggregator service combines and analyses the reports.

### What Are The Different Types Of Failure?

SMTP TLS reporting reports failures for TLS negotiation, MTA-STS, and DNS zone signing.

#### TLS negotiation failures

- **starttls-not-supported:** The receiving MTA does not support the STARTTLS command.
- **certificate-host-mismatch:** The receiving MTA’s certificate is not matching the hostname.
- **certificate-not-trusted:** The sender does not trust the certificate, which the receiving MTA supplied.
- **certificate-expired:** The receiving MTA’s certificate is expired.
- **validation-failure:** Other general validation failures than the ones mentioned above.

#### MTA-STS related failures

- **sts-policy-fetch-error:** The sender could not fetch the [MTA-STS policy](https://support.google.com/a/answer/9276511?hl=en) over HTTPS.
- **sts-policy-invalid:** It indicates a syntax error in the policy, preventing the validation of the MTA-STS policy.
- **sts-webpki-invalid:** It means the failure to fetch the MTA-STS policy due to PKI validation issues.

#### DNS related failures

- **tlsa-invalid:** It indicates a TLSA record validation error.
- **dnssec-invalid:** It shows the inability of the recursive resolver to return a valid record.
- **dane-required:** It suggests that the sending domain requires [DANE TLSA records](https://tools.ietf.org/id/draft-dukhovni-dane-ops-00.html) of the destination domain (MX hosts), but it could not find any DNSSEC-validated TLSA records.

There are several protocols to establish encrypted channels between the Simple Mail Transfer Protocol (SMTP) MTAs, for example, DANE TLSA, STARTTLS, and MTA-STS. However, these protocols can lead to undelivered messages or delivery through unauthenticated channels due to misconfiguration or a potential attack. _The SMTP TLS-RPT is a reporting mechanism that allows the sending systems to share crucial statistics about the possible failures on recipient domains_. Thus, the recipients and senders can use this information to diagnose malicious configurations and detect potential attacks.

##### Join the thousands of organizations that use DuoCircle

---

Find out how affordable it is for your organization today and be pleasantly surprised.

[Get DMARC Monitoring](/email/dmarc)

Interested in our Partner Program for MSPs and VARs? Visit Our [MSP Partner Program](/msp-partner-program).

## Ready to talk?

Same-day response from someone technical. We tell you yes or no quickly. If yes, we get to work.

[Talk to an Expert→](/contact/)[See what we make](/products/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"WebPage","name":"What is TLS-RPT: Understanding The Reporting Mechanism Which Helps Ensure Encrypted Email Delivery","description":"Join the thousands of organizations that use DuoCircle Find out how affordable it is for your organization today and be pleasantly surprised.Interested in ","url":"https://www.duocircle.com/resources/what-is-tls-rpt/","speakable":{"@type":"SpeakableSpecification","cssSelector":[".page-answer",".duo-rich-text p:first-of-type"]},"dateModified":"2025-09-23T13:47:00.000Z","datePublished":"2021-01-24T21:02:51.000Z"},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"DuoCircle","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"What is TLS-RPT: Understanding The Reporting Mechanism Which Helps Ensure Encrypted Email Delivery","item":"https://www.duocircle.com/resources/what-is-tls-rpt/"}]}]
```