Last updated: July 2026
In short: After this guide your domain publishes a TLS-RPT record. Receiving servers then send you daily reports on whether TLS-encrypted delivery to your domain worked.
Prerequisites
- A domain that uses Google Workspace as its mail system
- Access to your domain’s DNS management (at the domain host)
What is TLS-RPT?
TLS-RPT (SMTP TLS Reporting, RFC 8460) is a DNS TXT record under the hostname _smtp._tls.your-domain. It names an address to which receiving mail servers send daily aggregate reports: did the TLS negotiation on delivery to your domain succeed, or were there certificate or encryption errors? TLS-RPT itself enforces nothing — it’s the eye that shows you whether your MTA-STS or DANE protection works in practice.
The starting point at Google Workspace
As with SPF and DKIM: the record is created not in the Admin console, but at the domain host. Google itself demonstrates what such a record looks like — the Google infrastructure publishes:
v=TLSRPTv1;rua=mailto:sts-reports@google.com
You’ll find the same record under gmail.com. For your own domain you enter your own report address analogously.
Step-by-step guide
1. Set a report address
Decide where the TLS reports should go — a mailbox or, better, a TLS-RPT analysis service that presents the JSON reports readably. A plain mailbox otherwise fills up with machine-readable reports.
2. Create the TXT record at the domain host
At your DNS provider, create a TXT record:
- Hostname:
_smtp._tls - Value:
v=TLSRPTv1; rua=mailto:tlsrpt@beispiel.de
Where exactly you create TXT records is shown in our host guides — e.g. IONOS, Strato, or Hetzner DNS.
3. Best together with MTA-STS
TLS-RPT only unfolds its value alongside active TLS enforcement. Set up MTA-STS for Google Workspace in parallel — then MTA-STS says “encrypt mandatorily” and TLS-RPT reports to you whether it works.
4. Wait until the change is live
DNS changes take a few hours depending on TTL until they’re visible worldwide.
The components in detail
| Component | Meaning |
|---|---|
v=TLSRPTv1 | version identifier, always at the start |
rua=mailto:... | destination address for the daily TLS reports |
rua=https://... | alternatively an HTTPS endpoint that accepts the reports |
Verify the result
Check your configuration with the free MXAudit scanner — it shows you TLS-RPT in interplay with MTA-STS and the transport encryption of your MX servers.
Or directly in the terminal:
dig TXT _smtp._tls.example.com +short
Common mistakes
rua points to a normal mailbox. The reports are machine-readable JSON. Use an analysis service, otherwise you see nothing amid the raw data.
TLS-RPT without MTA-STS. TLS-RPT only reports — it enforces no encryption. Without MTA-STS or DANE, the enforcement that makes the reports meaningful is missing.
Wrong hostname. The record belongs at _smtp._tls, not at _mta-sts. The two are easily confused.
