Last updated: July 2026
In short: After this guide your Mailcow domain publishes a TLS-RPT record. Receiving servers then report to you daily on whether TLS delivery to your server worked.
Prerequisites
- A running Mailcow server
- Access to your domain’s DNS management
- A destination for the reports (analysis service or mailbox)
What is TLS-RPT?
TLS-RPT (SMTP TLS Reporting, RFC 8460) is a DNS TXT record under _smtp._tls.your-domain. It names an address to which receiving servers send daily aggregate reports on TLS delivery. When self-hosting this is especially valuable: you learn early if an expired certificate or a broken MTA-STS policy makes encrypted deliveries to your server fail.
The starting point at Mailcow
Mailcow doesn’t set the record itself — your DNS zone is at your DNS provider. You create a TXT record there. That this is standard practice is shown by large German self-hosters: posteo.de publishes
v=TLSRPTv1; rua=mailto:tlsrpt@posteo.de
and mailbox.org (Heinlein) uses
v=TLSRPTv1;rua=mailto:abuse@heinlein-support.de
You build exactly such a record for your own domain.
Step-by-step guide
1. Set the report destination
A TLS-RPT analysis service presents the JSON reports readably. A normal mailbox works for a start too, but quickly gets unwieldy.
2. Create the TXT record in the DNS zone
- Hostname:
_smtp._tls - Value:
v=TLSRPTv1; rua=mailto:tlsrpt@beispiel.de
Where you create TXT records depends on the DNS provider — see e.g. Hetzner DNS or Netcup.
3. Together with MTA-STS and DANE
TLS-RPT is the eye, MTA-STS and DANE are the fists. When self-hosting you can set up all three cleanly — TLS-RPT then reports to you whether the enforcement works.
4. Wait until the change is live
DNS changes take a few hours depending on TTL.
The components in detail
| Component | Meaning |
|---|---|
v=TLSRPTv1 | version identifier, always at the start |
rua=mailto:... | email destination for the daily reports |
rua=https://... | alternatively an HTTPS endpoint |
Verify the result
Check your configuration with the free MXAudit scanner — it shows TLS-RPT together with MTA-STS, DANE, and the transport encryption of your MX.
Or in the terminal:
dig TXT _smtp._tls.example.com +short
Common mistakes
rua to a normal mailbox. Use an analysis service for the machine-readable reports.
TLS-RPT alone. It only reports — enforcement is delivered by MTA-STS and DANE. Without them you have reports, but no protection.
Wrong hostname. _smtp._tls, not _mta-sts.
