What is the IETF standard for reporting events (RFC 8460, 8461)?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

A quick note before diving in: the question number references RFC 8460 and 8461, but these RFCs actually define transport security, not general event reporting. Here's what they actually cover.

RFC 8461 defines MTA-STS (SMTP MTA Strict Transport Security). This is a policy mechanism that tells other mail servers your domain requires an encrypted TLS connection for delivery. Without MTA-STS, a receiving server could downgrade to an unencrypted connection. With it, servers that can't negotiate TLS must fail the delivery rather than send in plaintext.

RFC 8460 defines TLS-RPT (TLS Reporting). This is the companion standard: it defines how receiving servers report back to you when they encounter TLS problems while trying to deliver to your domain. Reports arrive daily as JSON files, showing successful and failed TLS negotiations so you can spot configuration problems.

Together they work like this: MTA-STS sets the policy, TLS-RPT tells you when the policy causes problems or when someone tries to route around it. If you're seeing unexpected delivery failures after enabling MTA-STS, your TLS-RPT reports are the first place to look.

To implement MTA-STS, you publish a policy file at a specific HTTPS URL and add a DNS TXT record pointing to it. The policy specifies whether you're in "enforce" or "testing" mode. Start with "testing" so you can see the TLS-RPT reports before any real deliveries are affected.

You can verify your MTA-STS configuration with our free MTA-STS Checker at Review My Emails. For the broader authentication picture, see our DMARC generator. MTA-STS sits alongside SPF, DKIM, and DMARC as part of a complete domain security setup.

The IETF publishes both RFCs in full at their website if you want the technical specification.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Help me check my MTA-STS and TLS-RPT setup

I read about RFC 8460 (TLS-RPT) and RFC 8461 (MTA-STS). Help me understand these for my setup: - My sending domain: your domain - Do I have MTA-STS configured? yes / no / unsure - Am I receiving TLS-RPT reports? yes / no / unsure - ESP or mail server I use: e.g. Google Workspace, Postfix, Proofpoint - Have I had delivery failures I can't explain? describe if yes

Edit the yellow boxes, then send to the AI of your choice.