What information is included in TLS reports?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

When a sending mail server can't reach you over secure TLS, it packages up a report. Here's what's actually in that report:

The wins: Total number of successful TLS connections. If 10,000 connections succeeded, you know your certificate and configuration are working for most senders.

The problems: How many connections failed, broken down by reason. The report includes codes like certificate-expired, certificate-not-trusted, starttls-not-supported, and validation-failure. This tells you exactly where the friction is.

The details: The IP address of each sending server that failed, the time window covered (usually one day), and negotiation details. You get the source of the problem, not just that a problem exists.

Think of it like a daily health check for your mail server's TLS setup. You're not guessing why senders can't reach you anymore; the report shows you exactly what failed and why.

Ready to see these reports yourself? Here's how to set up TLS-RPT on your domain.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Rewrite TLS report contents explanation

I'm starting to receive TLS-RPT reports for my domain. My environment: ESP/MTA you use, roughly X daily inbound connections. The recent failure codes I'm seeing are: paste the codes from your report. Help me figure out which are urgent and which are normal background noise.

Edit the yellow boxes, then send to the AI of your choice.