Last updated: July 2026

In short: After this guide your domain at checkdomain publishes a TLS-RPT record and receives daily reports on encrypted delivery.

Prerequisites

  • A domain at checkdomain with active checkdomain nameservers
  • A destination for the reports (analysis service or mailbox)

What is TLS-RPT?

TLS-RPT (SMTP TLS Reporting, RFC 8460) is a DNS TXT record under _smtp._tls.your-domain. Receiving mail servers send daily aggregate reports on TLS delivery to the rua address named there — as JSON. TLS-RPT enforces nothing; it’s the eye that shows you whether your encryption (and a later MTA-STS protection) works in practice.

The starting point at checkdomain

TLS-RPT is a completely normal TXT record. You enter it yourself in the Pro settings of the nameserver management — the same place as the SPF and DMARC record. As usual at checkdomain: enter the value without quotation marks.

Step-by-step guide

1. Set the report address

Decide where the reports go — ideally to a TLS-RPT analysis service that processes the JSON reports, or to a dedicated mailbox.

2. Create the TXT record in the pro settings

Open the customer area, click Configuration for your domain, then Checkdomain Nameserver, and open the Pro settings area. Create a TXT entry:

  • Name: _smtp._tls
  • Type: TXT
  • Value (without quotation marks): v=TLSRPTv1; rua=mailto:tlsrpt@beispiel.de

checkdomain generally advises: “Always use the TXT value that the respective provider gives you” — with TLS-RPT that’s simply your own report address.

3. Wait until the change is live

DNS changes are saved in seconds at checkdomain; worldwide visibility can take up to 48 hours.

The components in detail

ComponentMeaning
v=TLSRPTv1version identifier, always at the start
rua=mailto:address the daily TLS reports go to

Separate multiple recipients with a comma; as an alternative to mailto:, an https: endpoint is also possible.

Verify the result

Check your configuration with the free MXAudit scanner — it shows you TLS-RPT together with your TLS and MTA-STS protection.

Common mistakes

Quotation marks copied along. At checkdomain the value goes in the field without quotation marks.

Wrong hostname. The record belongs exactly at _smtp._tls — not at _tls or the bare domain.

Mistook TLS-RPT for enforcement. TLS-RPT only reports. Encryption is enforced by MTA-STS — TLS-RPT shows you whether it works.

Further reading