Last updated: July 2026

In short: After this guide your domain at All-Inkl publishes a TLS-RPT record and gets daily reports on encrypted delivery.

Prerequisites

  • An All-Inkl package with access to the KAS
  • A destination for the reports (analysis service or mailbox)

What is TLS-RPT?

TLS-RPT (SMTP TLS Reporting, RFC 8460) is a DNS TXT record under _smtp._tls.your-domain. Receiving servers send daily aggregate reports on TLS delivery to the address named there. It enforces nothing — it shows you whether your MTA-STS protection works.

Step-by-step guide

1. Set the report address

A TLS-RPT analysis service processes the JSON reports.

2. Create the TXT record in the KAS

Log into the KAS (technical administration) and click Tools → DNS settings. Edit the domain and choose create new DNS entry:

FieldValue
Name_smtp._tls
TypeTXT
Datav=TLSRPTv1; rua=mailto:tlsrpt@beispiel.de

3. Together with MTA-STS

Combine TLS-RPT with MTA-STS at All-Inkl.

4. Wait until the change is live

DNS changes at All-Inkl can take up to 24 hours.

Verify the result

Check your configuration with the free MXAudit scanner.

dig TXT _smtp._tls.example.com +short

Common mistakes

rua to a normal mailbox. Use an analysis service for the machine-readable reports.

TLS-RPT without MTA-STS. It only reports; enforcement is delivered by MTA-STS.

Wrong hostname. _smtp._tls, not _mta-sts.

Further reading