Do I need TLS-RPT without MTA-STS or DANE?

It still works without them — you'll see 'no-policy-found' reports — but the value really comes from pairing with MTA-STS or DANE.

All guides

TLS

TLS-RPT: collecting SMTP TLS failure reports

TLS Reporting (RFC 8460) is the feedback loop for MTA-STS and DANE. Without it, policy failures are silent.

The DNS record

Publish a TXT record at _smtp._tls.<domain> with v=TLSRPTv1; rua=mailto:tls-reports@example.com (or an https URL for direct upload). Major providers send JSON reports daily.

What's in a report

Each report lists the receiving domain, the policy type (sts/tlsa/no-policy-found), the success count, and per-failure details (failure type, sending MTA IP, receiving MX, additional info).

Setting up parsing

Send TLS-RPT reports to a dedicated address and pipe them through a parser. Self-hosted options include parsedmarc and tlsrpt-collector; managed options include Postmark DMARC, dmarcian, Valimail, and others.

Frequently asked questions

Do I need TLS-RPT without MTA-STS or DANE?: It still works without them — you'll see 'no-policy-found' reports — but the value really comes from pairing with MTA-STS or DANE.

Related guides

MTA-STS: enforcing TLS for inbound mail

TLS

DANE/TLSA: DNSSEC-anchored TLS for SMTP

TLS