How to set up TLS-RPT (the “_smtp._tls” record)

You want visibility into failed opportunistic TLS connections to your mail server — the encryption-in-transit half of email security that DMARC doesn't cover — but aren't sure what DNS record actually enables it.

Check your domain first — 10 seconds, free, no signup.
See your DMARC policy, SPF lookup count and every issue explained in plain English.
Run the free check →

What this means

TLS-RPT (RFC 8460) is a separate reporting mechanism from DMARC: it reports on STARTTLS/TLS negotiation failures between mail servers, not on DKIM/SPF/DMARC authentication. It's enabled by publishing a TXT record at _smtp._tls.<yourdomain> with the value v=TLSRPTv1; rua=mailto:you@yourdomain (or an HTTPS rua endpoint). The single most common setup mistake is writing _smtp-tls (hyphen) instead of _smtp._tls (dot) — a typo that silently means no sending mail server will ever find your record, with zero error and zero reports. Source: RFC 8460 §3 “The _smtp._tls TXT Record” · verified 2026-07-17.

What to do about it

Step 1. Publish exactly one TXT record at _smtp._tls.yourdomain.com with v=TLSRPTv1; rua=mailto:you@yourdomain (or your monitoring tool's rua address).
Step 2. Double-check the label is _smtp._tls — two labels separated by a dot, not a hyphen.
Step 3. If you already run DMARC, this is a second, independent record — it doesn't replace or modify your _dmarc record.
Step 4. Wait for the next reporting cycle (typically 24h) after publishing, then confirm reports arrive at the rua address.

Frequently asked

Do TLS-RPT and MTA-STS replace DMARC?

No. DMARC authenticates who is allowed to send as your domain; TLS-RPT and MTA-STS protect how mail travels in transit between servers. They're complementary, independent DNS records — not substitutes for each other.

Do I need both TLS-RPT and MTA-STS, or just one?

They work well together but are independent: TLS-RPT is reporting-only (you find out about failures), MTA-STS is enforcement (failing connections get blocked in enforce mode). Most domains set up TLS-RPT first to see what's actually happening before committing to MTA-STS enforce mode.

Will either of these break mail delivery if I get it wrong?

TLS-RPT can't break anything — it's report-only. MTA-STS in enforce mode can, if your policy file lists the wrong MX hosts or your mta-sts. subdomain's certificate is invalid — which is exactly why RFC 8461 and every practical guide recommend a testing-mode period first.

Don't want to babysit DNS records?
DMARCKeeper monitors your reports, names every sender, and walks you to full p=reject protection.
Start free monitoring →