Last updated: July 2026
In short: After this guide your Cloudflare-hosted zone publishes a TLS-RPT record and receives daily reports on encrypted delivery.
Prerequisites
- A domain whose DNS is managed at Cloudflare (DNS > Records)
- A destination for the reports (analysis service or mailbox)
What is TLS-RPT?
TLS-RPT (SMTP TLS Reporting, RFC 8460) is a DNS TXT record under _smtp._tls.your-domain. Receiving servers send daily aggregate reports on TLS delivery to the address named there. It enforces nothing — it shows you whether your transport-encryption protection works. That protection is delivered by MTA-STS, which Cloudflare describes as a way to “protect against downgrade and man-in-the-middle attacks in SMTP sessions”. TLS-RPT is the eyes on it.
Cloudflare has no dedicated TLS-RPT page — but it points straight to it: when rolling out MTA-STS, Cloudflare recommends you “start with mode: testing” and “monitor TLS-RPT ↗ reports for a few weeks before switching to enforce”. This guide sets up exactly that reporting record. The record value itself follows the RFC 8460 standard.
Step-by-step guide
1. Set the report address
A TLS-RPT analysis service processes the JSON reports.
2. Create the TXT record in the Cloudflare dashboard
Go to DNS > Records, select Add record, choose a record Type, and “Complete the required fields”:
| Field | Value |
|---|---|
| Type | TXT |
| Name | _smtp._tls |
| Content | v=TLSRPTv1; rua=mailto:tlsrpt@beispiel.de |
| TTL | Auto |
Cloudflare uses a plain Content field — no quotation marks. The TTL (Time to Live) field controls “how long each record is valid”; Auto is fine.
Select Save.
3. Together with MTA-STS
Combine TLS-RPT with MTA-STS. On Cloudflare, MTA-STS is set up with an _mta-sts CNAME plus a policy file served over HTTPS — see Cloudflare’s MTA-STS guide. Roll MTA-STS out in testing mode first and watch the TLS-RPT reports before switching to enforce.
4. Wait until the change is live
DNS changes take a while depending on TTL.
Verify the result
Check your configuration with the free MXAudit scanner.
dig TXT _smtp._tls.example.com +short
Common mistakes
rua to a normal mailbox. The reports are JSON — use an analysis service, not your inbox.
TLS-RPT alone. It only reports; enforcement is delivered by MTA-STS. Set both.
Switching MTA-STS straight to enforce. Cloudflare warns to start in testing and monitor TLS-RPT reports first, or legitimate inbound mail may be rejected.
Further reading
- Cloudflare Docs: Configure MTA-STS (retrieved: July 10, 2026)
- Cloudflare Docs: Manage DNS records (retrieved: July 10, 2026)
- RFC 8460 — SMTP TLS Reporting
