Last updated: July 2026

In short: After this guide your domain publishes a TLS-RPT record. Receiving servers then send you daily reports on whether TLS-encrypted delivery to your domain worked.

Prerequisites

  • A domain that uses Google Workspace as its mail system
  • Access to your domain’s DNS management (at the domain host)

What is TLS-RPT?

TLS-RPT (SMTP TLS Reporting, RFC 8460) is a DNS TXT record under the hostname _smtp._tls.your-domain. It names an address to which receiving mail servers send daily aggregate reports: did the TLS negotiation on delivery to your domain succeed, or were there certificate or encryption errors? TLS-RPT itself enforces nothing — it’s the eye that shows you whether your MTA-STS or DANE protection works in practice.

The starting point at Google Workspace

As with SPF and DKIM: the record is created not in the Admin console, but at the domain host. Google itself demonstrates what such a record looks like — the Google infrastructure publishes:

v=TLSRPTv1;rua=mailto:sts-reports@google.com

You’ll find the same record under gmail.com. For your own domain you enter your own report address analogously.

Step-by-step guide

1. Set a report address

Decide where the TLS reports should go — a mailbox or, better, a TLS-RPT analysis service that presents the JSON reports readably. A plain mailbox otherwise fills up with machine-readable reports.

2. Create the TXT record at the domain host

At your DNS provider, create a TXT record:

  • Hostname: _smtp._tls
  • Value: v=TLSRPTv1; rua=mailto:tlsrpt@beispiel.de

Where exactly you create TXT records is shown in our host guides — e.g. IONOS, Strato, or Hetzner DNS.

3. Best together with MTA-STS

TLS-RPT only unfolds its value alongside active TLS enforcement. Set up MTA-STS for Google Workspace in parallel — then MTA-STS says “encrypt mandatorily” and TLS-RPT reports to you whether it works.

4. Wait until the change is live

DNS changes take a few hours depending on TTL until they’re visible worldwide.

The components in detail

ComponentMeaning
v=TLSRPTv1version identifier, always at the start
rua=mailto:...destination address for the daily TLS reports
rua=https://...alternatively an HTTPS endpoint that accepts the reports

Verify the result

Check your configuration with the free MXAudit scanner — it shows you TLS-RPT in interplay with MTA-STS and the transport encryption of your MX servers.

Or directly in the terminal:

dig TXT _smtp._tls.example.com +short

Common mistakes

rua points to a normal mailbox. The reports are machine-readable JSON. Use an analysis service, otherwise you see nothing amid the raw data.

TLS-RPT without MTA-STS. TLS-RPT only reports — it enforces no encryption. Without MTA-STS or DANE, the enforcement that makes the reports meaningful is missing.

Wrong hostname. The record belongs at _smtp._tls, not at _mta-sts. The two are easily confused.

Further reading