TLS-RPT Record Generator
Use this tool to generate your TLS-RPT record
Frequently Asked Questions
How to use a TLS-RPT Record Generator tool?
Using the TLS-RPT Record Generator tool is easy. Simply follow the steps below:
- Fill in your domain
- Fill in the email address(es) you want the system to use for reporting
- Fill in the endpoint URL you want the system to use for reporting (Optional)
- Click “Generate”
To use the record, copy and paste it to your domain’s DNS.
Why do you need TLS-RPT?
You need TLS-RPT to review the success or failure of encryption in your email activity. The reports will help you identify and fix security issues with your mail server.
How does TLS-RPT work?
TLS-RPT works alongside protocols imposing TLS like MTA-STS and DNS-based Authentication of Named Entities (DANE). It functions by reporting back on the TLS status of email communication. When you send an email, the SMTP server verifies whether TLS was deployed while delivering. If not, the SMTP server reports back to the sender with a ‘FAIL’ status. If yes, it reports back with ‘SUCCESS’ status.
What Are The Different Types Of TLS-RPT Failures?
There are three types of TLS-RPT record failures- TLS negotiation failures, MTA-STS-related failures, and DNS-related failures.
TLS Negotiation Failures
- starttls-not-supported: The receiver’s MTA repels the STARTTLS command.
- certificate-host-mismatch: The receiver’s MTA certificate differs from the hostname.
- certificate-not-trusted: The sender doesn’t count on the certificate supplied by the receiving MTA.
- certificate-expired: The receiving MTA’s certificate is expired.
- validation-failure: Any other general validation failure.
MTA-STS Related Failures
- sts-policy-fetch-error: The sender fails to collect the MTA-STS policy over HTTPS.
- sts-policy-invalid: It specifies a syntax error in the policy to avert the validation of the MTA-STS policy.
- sts-webpki-invalid: It indicates the inability to fetch the MTA-STS policy due to PKI validation issues.
DNS Related Failures
- tlsa-invalid: It denotes a TLSA record validation error.
- dnssec-invalid: It indicates the failure of the recursive resolver to return a valid record.
- dane-required: It says that the sending domain requires DANE TLSA records of the destination domain (MX hosts), but it could not find any DNSSEC-validated TLSA records.