TLS-RPT Record Checker

You need TLS-RPT to review the success or failure of encryption in your email activity. The reports will help you identify and fix security issues with your mail server.

TLS-RPT works alongside protocols imposing TLS like MTA-STS and DNS-based Authentication of Named Entities (DANE). It functions by reporting back on the TLS status of email communication. When you send an email, the SMTP server verifies whether TLS was deployed while delivering. If not, the SMTP server reports back to the sender with a ‘FAIL’ status. If yes, it reports back with ‘SUCCESS’ status.

There are three types of TLS-RPT record failures- TLS negotiation failures, MTA-STS-related failures, and DNS-related failures.

• starttls-not-supported: The receiver’s MTA repels the STARTTLS command.
• certificate-host-mismatch: The receiver’s MTA certificate differs from the hostname.
• certificate-not-trusted: The sender doesn’t count on the certificate supplied by the receiving MTA.
• certificate-expired: The receiving MTA’s certificate is expired.
• validation-failure: Any other general validation failure.

• sts-policy-fetch-error: The sender fails to collect the MTA-STS policy over HTTPS.
• sts-policy-invalid: It specifies a syntax error in the policy to avert the validation of the MTA-STS policy.
• sts-webpki-invalid: It indicates the inability to fetch the MTA-STS policy due to PKI validation issues.

• tlsa-invalid: It denotes a TLSA record validation error.
• dnssec-invalid: It indicates the failure of the recursive resolver to return a valid record.
• dane-required: It says that the sending domain requires DANE TLSA records of the destination domain (MX hosts), but it could not find any DNSSEC-validated TLSA records.