TLS-RPT Record Checker
Use this tool to check, lookup, and validate your TLS-RPT record
What is the TLS-RPT Record Checker tool?
EasyDMARC’s TLS-RPT Record Checker tool is a user-friendly free tool that helps you to:
- Learn if you have the TLS-RPT TXT record published in your DNS
- Validates the record syntax and ensures the record works according to the policy specifications
How to use a TLS-RPT Record Checker tool?
Our TLS-RPT Record Checker only requires you to enter your domain and click “Check TLS-RPT.” The result notifies you:
- If the record exists
- If the record is valid
- How to fix your domain’s TLS-RPT record in case it’s invalid
Why do you need TLS-RPT?
You need TLS-RPT to review the success or failure of encryption in your email activity. The reports will help you identify and fix security issues with your mail server.
How does TLS-RPT work?
TLS-RPT works alongside protocols imposing TLS like MTA-STS and DNS-based Authentication of Named Entities (DANE). It functions by reporting back on the TLS status of email communication. When you send an email, the SMTP server verifies whether TLS was deployed while delivering. If not, the SMTP server reports back to the sender with a ‘FAIL’ status. If yes, it reports back with ‘SUCCESS’ status.
What Are The Different Types Of TLS-RPT Failures?
There are three types of TLS-RPT record failures- TLS negotiation failures, MTA-STS-related failures, and DNS-related failures.
TLS Negotiation Failures
- starttls-not-supported: The receiver’s MTA repels the STARTTLS command.
- certificate-host-mismatch: The receiver’s MTA certificate differs from the hostname.
- certificate-not-trusted: The sender doesn’t count on the certificate supplied by the receiving MTA.
- certificate-expired: The receiving MTA’s certificate is expired.
- validation-failure: Any other general validation failure.
MTA-STS Related Failures
- sts-policy-fetch-error: The sender fails to collect the MTA-STS policy over HTTPS.
- sts-policy-invalid: It specifies a syntax error in the policy to avert the validation of the MTA-STS policy.
- sts-webpki-invalid: It indicates the inability to fetch the MTA-STS policy due to PKI validation issues.
DNS Related Failures
- tlsa-invalid: It denotes a TLSA record validation error.
- dnssec-invalid: It indicates the failure of the recursive resolver to return a valid record.
- dane-required: It says that the sending domain requires DANE TLSA records of the destination domain (MX hosts), but it could not find any DNSSEC-validated TLSA records.