Last updated: July 2026

In short: After this guide your Cloudflare-hosted zone publishes a TLS-RPT record and receives daily reports on encrypted delivery.

Prerequisites

  • A domain whose DNS is managed at Cloudflare (DNS > Records)
  • A destination for the reports (analysis service or mailbox)

What is TLS-RPT?

TLS-RPT (SMTP TLS Reporting, RFC 8460) is a DNS TXT record under _smtp._tls.your-domain. Receiving servers send daily aggregate reports on TLS delivery to the address named there. It enforces nothing — it shows you whether your transport-encryption protection works. That protection is delivered by MTA-STS, which Cloudflare describes as a way to “protect against downgrade and man-in-the-middle attacks in SMTP sessions”. TLS-RPT is the eyes on it.

Cloudflare has no dedicated TLS-RPT page — but it points straight to it: when rolling out MTA-STS, Cloudflare recommends you “start with mode: testing” and “monitor TLS-RPT ↗ reports for a few weeks before switching to enforce”. This guide sets up exactly that reporting record. The record value itself follows the RFC 8460 standard.

Step-by-step guide

1. Set the report address

A TLS-RPT analysis service processes the JSON reports.

2. Create the TXT record in the Cloudflare dashboard

Go to DNS > Records, select Add record, choose a record Type, and “Complete the required fields”:

FieldValue
TypeTXT
Name_smtp._tls
Contentv=TLSRPTv1; rua=mailto:tlsrpt@beispiel.de
TTLAuto

Cloudflare uses a plain Content field — no quotation marks. The TTL (Time to Live) field controls “how long each record is valid”; Auto is fine.

Select Save.

3. Together with MTA-STS

Combine TLS-RPT with MTA-STS. On Cloudflare, MTA-STS is set up with an _mta-sts CNAME plus a policy file served over HTTPS — see Cloudflare’s MTA-STS guide. Roll MTA-STS out in testing mode first and watch the TLS-RPT reports before switching to enforce.

4. Wait until the change is live

DNS changes take a while depending on TTL.

Verify the result

Check your configuration with the free MXAudit scanner.

dig TXT _smtp._tls.example.com +short

Common mistakes

rua to a normal mailbox. The reports are JSON — use an analysis service, not your inbox.

TLS-RPT alone. It only reports; enforcement is delivered by MTA-STS. Set both.

Switching MTA-STS straight to enforce. Cloudflare warns to start in testing and monitor TLS-RPT reports first, or legitimate inbound mail may be rejected.

Further reading