Skip to content

TLS-RPT & MTA-STS Checker

Check your TLS encryption policies and reporting configuration for secure email delivery.

Checks MTA-STS and TLS-RPT records

No login required for preview GDPR-friendly

What Are TLS-RPT and MTA-STS?

MTA-STS

Mail Transfer Agent Strict Transport Security

  • Enforces TLS encryption for inbound email
  • Prevents downgrade attacks
  • Validates server certificates
  • Requires HTTPS-hosted policy file

TLS-RPT

SMTP TLS Reporting

  • Receives daily TLS failure reports
  • Identifies certificate problems
  • Monitors delivery issues
  • Simple DNS TXT record setup

How to Set Up TLS-RPT and MTA-STS

Step 1: Set up TLS-RPT (easier, do first)

Add a DNS TXT record at _smtp._tls.yourdomain.com:

v=TLSRPTv1; rua=mailto:tls-reports@yourdomain.com

Replace the email with where you want to receive reports. You can also use an HTTPS endpoint.

Step 2: Create MTA-STS policy file

Host a file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt:

version: STSv1 mode: testing mx: mail.yourdomain.com mx: *.yourdomain.com max_age: 86400

Start with mode: testing to monitor without enforcing. Change to mode: enforce once verified.

Step 3: Add MTA-STS DNS record

Add a DNS TXT record at _mta-sts.yourdomain.com:

v=STSv1; id=20240115

The id must change whenever you update the policy file. Use a date or incrementing number.

Step 4: Verify and enforce

After setup:

  • Use this tool to verify configuration
  • Monitor TLS-RPT reports for failures
  • Once stable, change MTA-STS mode to enforce
  • Update the DNS record id when changing the policy

MTA-STS Policy Modes

testing

Senders will attempt TLS but deliver anyway if it fails. Use this to identify issues without blocking mail.

enforce

Senders must use TLS with valid certificates. Mail is rejected if TLS fails. Use after verifying configuration.

none

Disables MTA-STS. Senders ignore the policy. Use to temporarily disable without removing DNS records.

Frequently Asked Questions

What is MTA-STS?

MTA-STS (Mail Transfer Agent Strict Transport Security) tells sending servers to only deliver email over encrypted TLS connections. It prevents downgrade attacks where an attacker forces unencrypted delivery, and validates that the receiving server has a valid certificate.

What is TLS-RPT?

TLS-RPT (SMTP TLS Reporting) sends you daily reports about TLS connection failures when other servers try to deliver email to you. Reports include details about certificate validation failures, connection issues, and policy fetch problems.

Do I need both MTA-STS and TLS-RPT?

They work together but serve different purposes. MTA-STS enforces encryption; TLS-RPT reports on failures. Implement both for complete visibility and security. Start with TLS-RPT alone to see current TLS status before enabling MTA-STS enforcement.

Related Guides

Email Authentication Guide New Domain Checklist Email Going to Spam ← Back to Home

Related Tools

MTA-STS Checker

Validate MTA-STS policy file

TLS-RPT Generator

Generate TLS-RPT DNS record

SMTP TLS Checker

Test mail server TLS support

Security Audit

Complete email security check

Monitor TLS Security Continuously

Create a free account to parse TLS-RPT reports, monitor MTA-STS status, and get alerts on issues.

Start Free Monitoring