Last updated: July 2026

In short: After this guide your Hetzner-hosted zone publishes a TLS-RPT record and receives daily reports on encrypted delivery.

Prerequisites

  • A DNS zone at Hetzner (Hetzner Console)
  • A destination for the reports (analysis service or mailbox)

What is TLS-RPT?

TLS-RPT (SMTP TLS Reporting, RFC 8460) is a DNS TXT record under _smtp._tls.your-domain. Receiving servers send daily aggregate reports on TLS delivery to the address named there. It enforces nothing — it shows you whether your MTA-STS or DANE protection works. As a pure DNS service, Hetzner is ideal for this.

Step-by-step guide

1. Set the report address

A TLS-RPT analysis service processes the JSON reports.

2. Create the TXT record in the Hetzner Console

Open your DNS zone and create a record:

FieldValue
TypeTXT
Name_smtp._tls
Value"v=TLSRPTv1; rua=mailto:tlsrpt@beispiel.de"

Note the Hetzner quirk: the TXT value must be in quotation marks (at Hetzner “the value has to be quoted”). For the root domain Hetzner uses @ in the Name field; here the subhost _smtp._tls goes there instead.

3. Together with MTA-STS or DANE

Combine TLS-RPT with MTA-STS or — with a DNSSEC-signed zone — DANE.

4. Wait until the change is live

DNS changes take a few hours depending on TTL.

Verify the result

Check your configuration with the free MXAudit scanner.

dig TXT _smtp._tls.example.com +short

Common mistakes

Forgot the quotation marks. In the Hetzner Console the TXT value goes in quotation marks.

rua to a normal mailbox. Use an analysis service.

TLS-RPT alone. It only reports; enforcement is delivered by MTA-STS or DANE.

Further reading