Last updated: July 2026

In short: After this guide your domain at IONOS publishes a TLS-RPT record, so receiving servers report to you daily on the success or failure of encrypted delivery.

Prerequisites

  • A domain at IONOS with access to the DNS settings (login.ionos.de)
  • A destination for the reports (analysis service or mailbox)

What is TLS-RPT?

TLS-RPT (SMTP TLS Reporting, RFC 8460) is a DNS TXT record under _smtp._tls.your-domain. It names an address to which receiving mail servers send daily aggregate reports on TLS delivery. TLS-RPT itself enforces nothing — it makes visible whether your MTA-STS protection works in practice.

The starting point at IONOS

TLS-RPT is a completely normal TXT record — IONOS offers no dedicated switch for it, you create it yourself in DNS management. That’s done in five minutes.

Step-by-step guide

1. Set the report address

Choose a destination for the JSON reports — ideally a TLS-RPT analysis service.

2. Create the TXT record

Sign in and go via Menu → Domains & SSL to your domain. Next to the domain, click the three dots and then DNS, then the Add record button in DNS management. Choose TXT and enter:

FieldValue
TypeTXT
Hostname_smtp._tls
Valuev=TLSRPTv1; rua=mailto:tlsrpt@beispiel.de

3. Together with MTA-STS

Set up MTA-STS at IONOS in parallel — then MTA-STS enforces encryption and TLS-RPT reports to you whether it succeeds.

4. Wait until the change is live

DNS changes take a few hours depending on TTL.

Verify the result

Check your configuration with the free MXAudit scanner — it shows TLS-RPT together with MTA-STS and transport encryption.

dig TXT _smtp._tls.example.com +short

Common mistakes

rua to a normal mailbox. The reports are machine-readable — use an analysis service.

TLS-RPT without MTA-STS. TLS-RPT only reports; enforcement is delivered by MTA-STS.

Wrong hostname. _smtp._tls, not _mta-sts.

Further reading