TLS-RPT: SMTP TLS Reporting

What it does

MTA-STS prevents downgrade attacks. TLS-RPT tells you when an attempted downgrade happened. Together they give you both the lock and the security camera.

Reports are JSON documents posted to the rua URL (or emailed to a mailbox) once per UTC day. Each report covers all TLS connection attempts from one sender to your MX hosts in that window, with per-policy success/failure counts.

TLS-RPT works without MTA-STS but the value compounds when you have both. Without MTA-STS, TLS failures show up in reports but you have no way to enforce TLS — so you can see the attacks but can't block them.

How it works

1. Publish a TXT record at _smtp._tls.<your-domain> with v=TLSRPTv1; rua=mailto:tls-reports@<your-domain> (or rua=https://endpoint).
2. Sending servers retrieve the record at delivery time and queue a daily report covering every TLS attempt to your MX.
3. At the end of each UTC day, they POST or email the JSON report to your rua endpoint.
4. You parse the reports to spot patterns: which sender networks have TLS issues, which days have spikes, whether your MTA-STS policy is being honoured.

Example record

_smtp._tls.yourdomain.com TXT

Common pitfalls

• Publishing only one of TLS-RPT or MTA-STS. They're partner protocols; deploy both or skip both.
• Pointing rua= at a mailbox that auto-deletes everything (e.g. an old internal alias). Reports go to the void; you learn nothing.
• Ignoring the reports. Daily automated mail with no human reading it is wasted infrastructure.

Related tools