TLS-RPT Generator

Create TLS Reporting DNS record for email delivery reports

Privacy First

This generator runs entirely in your browser. No data is sent to any server.

Configuration

Domain Name

Report Destinations (rua)

mailto:

Add multiple destinations for redundancy. Reports are sent daily in JSON format.

About TLS-RPT

TLS-RPT (SMTP TLS Reporting) allows domain owners to receive reports about TLS connection failures from sending mail servers. It works alongside MTA-STS to provide visibility into email delivery issues.

Reporting Methods

mailto: - Reports sent as email attachments (gzip compressed JSON)
https: - Reports POSTed to a webhook endpoint

Report Contents

Successful and failed TLS connection counts
Failure types (certificate errors, policy failures, etc.)
Sending server IP addresses
Your MX hostname that was contacted

Common Failure Types

starttls-not-supported - Server doesn't support STARTTLS
certificate-expired - TLS certificate has expired
certificate-not-trusted - Certificate not trusted
certificate-host-mismatch - Hostname mismatch
sts-policy-invalid - Invalid MTA-STS policy
sts-webpki-invalid - WebPKI validation failed

TLS-RPT works best with MTA-STS. Use the TLS-RPT Analyzer to parse received reports.