Last updated: July 2026
In short: TLS-RPT (SMTP TLS Reporting) delivers structured diagnostic reports on failed TLS encryption handshakes for incoming emails. You enable reporting by publishing a TXT record on the
_smtp._tlssubdomain inside dogado DNS management.
Prerequisites
- An active dogado web hosting or email hosting plan
- Access to your DNS management table (in either CloudPit or oneHome)
- An email address or specialized monitoring endpoint configured to collect JSON reports (
.json.gz)
What is TLS-RPT?
TLS-RPT (SMTP TLS Reporting, RFC 8460) is a protocol for auditing transport encryption on incoming email delivery. When external providers (such as Gmail or Microsoft 365) transmit messages to your dogado mail server, they attempt to negotiate a secure TLS tunnel. If that handshake fails — whether due to certificate errors, misconfigurations, or active downgrade attacks — TLS-RPT instructs the sending server to generate a detailed failure report and send it to you.
As dogado explains regarding DNS management features: Ein TXT-Eintrag speichert Textinformationen, häufig zur Domain-Verifizierung (z. B. Google, Microsoft) oder für Sicherheitsrichtlinien wie SPF, DKIM und DMARC (“A TXT record stores text information, frequently for domain verification (e.g. Google, Microsoft) or for security policies such as SPF, DKIM, and DMARC”). This flexible TXT record capability accommodates TLS-RPT policies seamlessly.
Especially when deployed alongside strict encryption protocols like MTA-STS or DANE, TLS-RPT provides essential visibility into transport issues.
The starting point at dogado
You configure the required record right inside your domain’s DNS table. The policy must be attached to the _smtp._tls technical subdomain.
The recommended record structure is:
v=TLSRPTv1; rua=mailto:tls-reports@example.com
Step-by-step guide
1. Check whether a TLS-RPT record already exists
Use your terminal to see if your domain currently publishes a reporting policy:
dig TXT _smtp._tls.example.com +short
If the command returns a string starting with v=TLSRPTv1;, an entry already exists. If the output stays empty, continue to add a new record.
2. Open DNS management inside CloudPit or oneHome
Log in to your dogado customer portal and open the DNS record table for your domain.
3. Add the TXT record for _smtp._tls
Add a new entry using the creation button: Mit dem Button + Record erstellen(7) haben Sie die Möglichkeit, einen neuen DNS-Eintrag hinzuzufügen (“With the + Create record button you have the ability to add a new DNS record”).
Enter the following configuration:
- Name / Hostname:
_smtp._tls(ensure you enter only the subdomain portion, because the system appends the rest automatically:der Name der Hauptdomain nicht in das Feld Name eingetragen werden sollte. Dieser wird automatisch hinzugefügt(“the name of the main domain should not be entered into the Name field. It is added automatically”)). - Type: TXT
- Value / Text:
v=TLSRPTv1; rua=mailto:tls-reports@example.com
(Replace tls-reports@example.com with the email address where you want to collect diagnostic reports).
- TTL: Keep the default setting (e.g., 600 seconds)
To apply the change, you must confirm by saving: klicken Sie bitte abschließend auf Speichern (8), um diese zu bestätigen und wirksam zu machen (“finally please click on Save to confirm and make them effective”).
The components explained
| Component | Meaning |
|---|---|
_smtp._tls | Dedicated DNS selector queried by external mail servers for your TLS reporting instructions |
v=TLSRPTv1 | Protocol version tag (must strictly appear at the very beginning of the TXT string) |
rua=mailto:... | Target URI where daily compressed JSON reports (.json.gz) will be delivered |
Verification
Once you save your record inside dogado’s portal, immediately test your setup using the free MXAudit scanner — verify your TLS-RPT syntax and ensure your reporting endpoint is correctly formatted.
You can also use your terminal to check that dogado’s name servers serve your new record:
dig TXT _smtp._tls.example.com +short
The output should match "v=TLSRPTv1; rua=mailto:tls-reports@example.com".
Common mistakes
Placing the record on root (@) instead of _smtp._tls. If you leave the name field empty, the record is published on the root domain (der Name der Hauptdomain nicht in das Feld Name eingetragen werden sollte. Dieser wird automatisch hinzugefügt.). External mail servers will not look there for reporting instructions. Always enter _smtp._tls in the name field.
Omitting the mailto: scheme. The rua= attribute requires the mailto: URI prefix right before your email address. Missing this prefix makes the record invalid.
Directing reports to a personal inbox. Diagnostic reports arrive daily as compressed JSON/GZIP attachments. Send these reports to a dedicated reporting inbox or automated processing dashboard to keep your main inbox clean.
Further reading
- dogado Help — DNS Management (retrieved: July 17, 2026)
- RFC 8460 — SMTP TLS Reporting (TLS-RPT)
