Last updated: July 2026
In short: After this guide your domain at checkdomain publishes a TLS-RPT record and receives daily reports on encrypted delivery.
Prerequisites
- A domain at checkdomain with active checkdomain nameservers
- A destination for the reports (analysis service or mailbox)
What is TLS-RPT?
TLS-RPT (SMTP TLS Reporting, RFC 8460) is a DNS TXT record under _smtp._tls.your-domain. Receiving mail servers send daily aggregate reports on TLS delivery to the rua address named there — as JSON. TLS-RPT enforces nothing; it’s the eye that shows you whether your encryption (and a later MTA-STS protection) works in practice.
The starting point at checkdomain
TLS-RPT is a completely normal TXT record. You enter it yourself in the Pro settings of the nameserver management — the same place as the SPF and DMARC record. As usual at checkdomain: enter the value without quotation marks.
Step-by-step guide
1. Set the report address
Decide where the reports go — ideally to a TLS-RPT analysis service that processes the JSON reports, or to a dedicated mailbox.
2. Create the TXT record in the pro settings
Open the customer area, click Configuration for your domain, then Checkdomain Nameserver, and open the Pro settings area. Create a TXT entry:
- Name:
_smtp._tls - Type:
TXT - Value (without quotation marks):
v=TLSRPTv1; rua=mailto:tlsrpt@beispiel.de
checkdomain generally advises: “Always use the TXT value that the respective provider gives you” — with TLS-RPT that’s simply your own report address.
3. Wait until the change is live
DNS changes are saved in seconds at checkdomain; worldwide visibility can take up to 48 hours.
The components in detail
| Component | Meaning |
|---|---|
v=TLSRPTv1 | version identifier, always at the start |
rua=mailto: | address the daily TLS reports go to |
Separate multiple recipients with a comma; as an alternative to mailto:, an https: endpoint is also possible.
Verify the result
Check your configuration with the free MXAudit scanner — it shows you TLS-RPT together with your TLS and MTA-STS protection.
Common mistakes
Quotation marks copied along. At checkdomain the value goes in the field without quotation marks.
Wrong hostname. The record belongs exactly at _smtp._tls — not at _tls or the bare domain.
Mistook TLS-RPT for enforcement. TLS-RPT only reports. Encryption is enforced by MTA-STS — TLS-RPT shows you whether it works.
Further reading
- checkdomain support: How do I set a TXT entry? (German) (retrieved: July 10, 2026)
- RFC 8460 — SMTP TLS Reporting
