What does a TLS-RPT report contain?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

A TLS-RPT report is a JSON file (gzip-compressed) that arrives in your inbox daily. It's like a diagnostic log, but formatted so you can actually parse it automatically. Here's what you're looking at:

Connection status: Total successful TLS connections, total failures, and the date range (usually 24 hours). This gives you the big picture. If you saw 100,000 successful connections and 50 failures, that's a pretty healthy ratio.

Failure reasons: Each failed connection includes a code explaining why. Common ones: certificate-expired (your cert is past its expiration date), certificate-not-trusted (issuing CA isn't recognized), starttls-not-supported (your server rejected STARTTLS), or validation-failure (certificate hostname doesn't match). Each failure includes the sending server's IP address, so you know who couldn't reach you.

The meta: Report timestamp, your domain name, and policy type (usually "smtp-tls" if you've set up MTA-STS policies).

Most teams ignore these reports until something breaks. Smart teams review them weekly for patterns. A spike in certificate-expired alerts tells you to renew before it's too late. Understanding what these reports mean is the difference between catching problems early and watching your email bounce.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Rewrite TLS-RPT report contents guide

I got my first TLS-RPT report and I'm not sure where to focus. Here's the summary: [paste your daily totals, successful connections, failed connections, top failure codes]. My priority is [keeping certs valid / debugging STARTTLS / preparing for MTA-STS enforcement]. Walk me through what to act on first.

Edit the yellow boxes, then send to the AI of your choice.