Your MTA-STS policy file is live in mode: testing, and you want to know how long to wait — and what to check — before flipping it to mode: enforce, where failing connections start getting dropped instead of just logged.
RFC 8461 defines exactly three values for the policy file's mode field: enforce (senders MUST refuse delivery over a connection that fails MTA-STS validation), testing (senders report failures via TLS-RPT but deliver the mail anyway) and none (the domain isn't currently requesting MTA-STS, mainly used to phase out a prior policy). The standard itself doesn't mandate a minimum testing period, but the practical guidance from mailbox providers who support MTA-STS — most visibly Google — is to run testing for roughly two weeks, long enough to collect a full reporting cycle of TLS-RPT data, before moving to enforce. Source: RFC 8461 §3.1 “mode” field (testing / enforce / none) · verified 2026-07-17; operational guidance: Google Workspace Help — Create an MTA-STS policy.
testing mode with a live TLS-RPT record (see the setup page above) — without TLS-RPT you're testing blind, with no visibility into what would have failed.certificate-host-mismatch or starttls-not-supported failures in your TLS-RPT reports during the testing window — those are exactly what enforce mode would start blocking.mode: testing to mode: enforce.id field in the same change — mode changes are policy-file edits like any other.No. DMARC authenticates who is allowed to send as your domain; TLS-RPT and MTA-STS protect how mail travels in transit between servers. They're complementary, independent DNS records — not substitutes for each other.
They work well together but are independent: TLS-RPT is reporting-only (you find out about failures), MTA-STS is enforcement (failing connections get blocked in enforce mode). Most domains set up TLS-RPT first to see what's actually happening before committing to MTA-STS enforce mode.
TLS-RPT can't break anything — it's report-only. MTA-STS in enforce mode can, if your policy file lists the wrong MX hosts or your mta-sts. subdomain's certificate is invalid — which is exactly why RFC 8461 and every practical guide recommend a testing-mode period first.