Receive daily reports from sending mail servers about TLS connection failures when delivering to your domain.
⚡ Monitored by EmailExacto IntelligenceTLS-RPT (RFC 8460) is a reporting mechanism that lets sending mail servers notify you when they encounter TLS problems while delivering to your domain. Reports are delivered daily in JSON format and detail successful and failed TLS sessions along with failure reasons. TLS-RPT is the companion standard to MTA-STS — MTA-STS enforces TLS, TLS-RPT tells you when enforcement is failing.
Enable TLS-RPT by publishing a DNS TXT record:
Sending servers that support TLS-RPT deliver JSON reports to your RUA address including: total session counts, success/failure counts, MX hostnames, policy type (MTA-STS or DANE), and failure reasons (certificate expired, name mismatch, TLS handshake failed).
Without TLS-RPT, you have zero visibility into TLS delivery failures. If your MX server's certificate expires while MTA-STS is in enforce mode, senders will refuse delivery — and you won't know until customers report missing email. TLS-RPT contributes 7 points to your EmailExacto deliverability score.
EmailExacto polls the TLS-RPT reporting mailbox, parses incoming reports, and surfaces failure summaries in your daily intelligence report.
✓Always deploy TLS-RPT alongside MTA-STS — enforce mode without reporting is flying blind.
✓Monitor reports for unexpected failure spikes, which may indicate a certificate problem.
✓Use a dedicated mailbox or reporting service for your rua= address.
✓Review TLS-RPT reports before switching MTA-STS from testing to enforce.
✓Automate certificate renewal — expiry is the most common TLS-RPT failure reason.
✓Verify your MX hostname in the policy file exactly matches the certificate's CN or SAN.
Expert-written training delivered to your inbox every Tuesday. No spam. Unsubscribe anytime.
Join thousands of senders building better email habits.