Last updated: July 2026

In short: TLS-RPT (SMTP TLS Reporting) delivers structured diagnostic reports on failed TLS encryption handshakes for incoming emails. You enable reporting by publishing a TXT record on the _smtp._tls subdomain inside dogado DNS management.

Prerequisites

  • An active dogado web hosting or email hosting plan
  • Access to your DNS management table (in either CloudPit or oneHome)
  • An email address or specialized monitoring endpoint configured to collect JSON reports (.json.gz)

What is TLS-RPT?

TLS-RPT (SMTP TLS Reporting, RFC 8460) is a protocol for auditing transport encryption on incoming email delivery. When external providers (such as Gmail or Microsoft 365) transmit messages to your dogado mail server, they attempt to negotiate a secure TLS tunnel. If that handshake fails — whether due to certificate errors, misconfigurations, or active downgrade attacks — TLS-RPT instructs the sending server to generate a detailed failure report and send it to you.

As dogado explains regarding DNS management features: Ein TXT-Eintrag speichert Textinformationen, häufig zur Domain-Verifizierung (z. B. Google, Microsoft) oder für Sicherheitsrichtlinien wie SPF, DKIM und DMARC (“A TXT record stores text information, frequently for domain verification (e.g. Google, Microsoft) or for security policies such as SPF, DKIM, and DMARC”). This flexible TXT record capability accommodates TLS-RPT policies seamlessly.

Especially when deployed alongside strict encryption protocols like MTA-STS or DANE, TLS-RPT provides essential visibility into transport issues.

The starting point at dogado

You configure the required record right inside your domain’s DNS table. The policy must be attached to the _smtp._tls technical subdomain.

The recommended record structure is:

v=TLSRPTv1; rua=mailto:tls-reports@example.com

Step-by-step guide

1. Check whether a TLS-RPT record already exists

Use your terminal to see if your domain currently publishes a reporting policy:

dig TXT _smtp._tls.example.com +short

If the command returns a string starting with v=TLSRPTv1;, an entry already exists. If the output stays empty, continue to add a new record.

2. Open DNS management inside CloudPit or oneHome

Log in to your dogado customer portal and open the DNS record table for your domain.

3. Add the TXT record for _smtp._tls

Add a new entry using the creation button: Mit dem Button + Record erstellen(7) haben Sie die Möglichkeit, einen neuen DNS-Eintrag hinzuzufügen (“With the + Create record button you have the ability to add a new DNS record”).

Enter the following configuration:

  • Name / Hostname: _smtp._tls (ensure you enter only the subdomain portion, because the system appends the rest automatically: der Name der Hauptdomain nicht in das Feld Name eingetragen werden sollte. Dieser wird automatisch hinzugefügt (“the name of the main domain should not be entered into the Name field. It is added automatically”)).
  • Type: TXT
  • Value / Text:
    v=TLSRPTv1; rua=mailto:tls-reports@example.com

(Replace tls-reports@example.com with the email address where you want to collect diagnostic reports).

  • TTL: Keep the default setting (e.g., 600 seconds)

To apply the change, you must confirm by saving: klicken Sie bitte abschließend auf Speichern (8), um diese zu bestätigen und wirksam zu machen (“finally please click on Save to confirm and make them effective”).

The components explained

ComponentMeaning
_smtp._tlsDedicated DNS selector queried by external mail servers for your TLS reporting instructions
v=TLSRPTv1Protocol version tag (must strictly appear at the very beginning of the TXT string)
rua=mailto:...Target URI where daily compressed JSON reports (.json.gz) will be delivered

Verification

Once you save your record inside dogado’s portal, immediately test your setup using the free MXAudit scanner — verify your TLS-RPT syntax and ensure your reporting endpoint is correctly formatted.

You can also use your terminal to check that dogado’s name servers serve your new record:

dig TXT _smtp._tls.example.com +short

The output should match "v=TLSRPTv1; rua=mailto:tls-reports@example.com".

Common mistakes

Placing the record on root (@) instead of _smtp._tls. If you leave the name field empty, the record is published on the root domain (der Name der Hauptdomain nicht in das Feld Name eingetragen werden sollte. Dieser wird automatisch hinzugefügt.). External mail servers will not look there for reporting instructions. Always enter _smtp._tls in the name field.

Omitting the mailto: scheme. The rua= attribute requires the mailto: URI prefix right before your email address. Missing this prefix makes the record invalid.

Directing reports to a personal inbox. Diagnostic reports arrive daily as compressed JSON/GZIP attachments. Send these reports to a dedicated reporting inbox or automated processing dashboard to keep your main inbox clean.

Further reading