Last updated: July 2026

In short: After this guide your Gandi-hosted zone publishes a TLS-RPT record and receives daily reports on encrypted delivery.

Prerequisites

  • A domain at Gandi using Gandi LiveDNS
  • A destination for the reports (analysis service or mailbox)

What is TLS-RPT?

TLS-RPT (SMTP TLS Reporting, RFC 8460) is a DNS TXT record under _smtp._tls.your-domain. Receiving servers send daily aggregate reports on TLS delivery to the address named there. It enforces nothing — it shows you whether your MTA-STS or DANE protection works. Since Gandi runs LiveDNS for you, publishing the record is just one more TXT entry.

Note: Gandi’s own docs cover SPF, DKIM, and DMARC, but not TLS-RPT. The record itself is a standard defined by RFC 8460 and is provider-independent — you publish it in Gandi’s LiveDNS like any other TXT record.

Step-by-step guide

1. Set the report address

A TLS-RPT analysis service processes the JSON reports. Point rua at it (or, for a quick start, at a mailbox you’ll actually read).

2. Create the TXT record in LiveDNS

Open your domain’s DNS Records tab and click the green Add button above the table to add a new record. TLS-RPT lives on a subhost, so — as Gandi shows for TXT records — you “use the name of a subdomain, such as something” in the name field, here _smtp._tls:

FieldValue
TypeTXT
Name_smtp._tls
Valuev=TLSRPTv1; rua=mailto:tlsrpt@beispiel.de

Gandi’s LiveDNS enforces a minimum TTL of 300 seconds — the default is fine here.

3. Together with MTA-STS or DANE

TLS-RPT only reports; the enforcement comes from MTA-STS or — with a DNSSEC-signed zone — DANE. Set up TLS-RPT alongside one of them so the reports actually tell you something.

4. Wait until the change is live

DNS changes take a few hours depending on TTL; Gandi notes up to 72 hours for full propagation.

Verify the result

Check your configuration with the free MXAudit scanner.

dig TXT _smtp._tls.example.com +short

Common mistakes

Wrong name. The record belongs at _smtp._tls, not the bare domain.

rua to a normal mailbox. The reports are JSON; use an analysis service to make sense of them.

TLS-RPT alone. It only reports; the actual enforcement is delivered by MTA-STS or DANE.

Further reading