What is RFC 8460 (TLS Reporting)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You've set up MTA-STS to enforce encrypted delivery to your domain. Great. But how do you actually know if it's working? That's where RFC 8460 comes in.
RFC 8460 defines SMTP TLS Reporting (TLS-RPT). It's a standard that tells receiving domains when a sending server runs into a TLS encryption problem while trying to deliver mail to them. Think of it as a feedback loop for your encryption setup.
Here's how it works in practice. You publish a TLS-RPT record in your DNS. That record tells sending mail servers where to email a daily report. When a server tries to deliver to your domain and hits a TLS failure, it includes that failure in the report. You get the data. You fix the problem.
Without TLS-RPT, failures can go completely undetected. A misconfigured certificate, a policy mismatch, a server that can't negotiate the right TLS version and your intended encryption protection is silently doing nothing. TLS-RPT makes the invisible visible.
A TLS-RPT DNS record looks like this:
_smtp._tls.yourdomain.com IN TXT "v=TLSRPTv1; rua=mailto:tls-reports@yourdomain.com"
So the rua field is where the reports go. You can point it to an email address or an HTTPS endpoint. Reports arrive in JSON format and cover things like how many connections were attempted, how many succeeded, and what specific failure type caused any problems.
TLS-RPT is closely paired with MTA-STS (RFC 8461). MTA-STS sets the policy. TLS-RPT tells you whether that policy is actually being enforced. Running MTA-STS without TLS-RPT is a bit like locking your front door and never checking whether the lock is actually latching.
It's worth noting that TLS-RPT only covers opportunistic and enforced TLS failures at the server level. It doesn't track individual message delivery problems or tell you anything about the content of the emails involved. It's infrastructure feedback, not per-message reporting.
If you're reading RFC 8460 reports and seeing a pattern of failures, that's a signal to check your certificate validity, your MTA-STS policy file, and whether the sending servers involved are outdated or misconfigured. Not sure where to start? Our SOS hotline is free if you're stuck.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.