Last updated: July 2026

In short: After this guide your Mailcow domain publishes a TLS-RPT record. Receiving servers then report to you daily on whether TLS delivery to your server worked.

Prerequisites

  • A running Mailcow server
  • Access to your domain’s DNS management
  • A destination for the reports (analysis service or mailbox)

What is TLS-RPT?

TLS-RPT (SMTP TLS Reporting, RFC 8460) is a DNS TXT record under _smtp._tls.your-domain. It names an address to which receiving servers send daily aggregate reports on TLS delivery. When self-hosting this is especially valuable: you learn early if an expired certificate or a broken MTA-STS policy makes encrypted deliveries to your server fail.

The starting point at Mailcow

Mailcow doesn’t set the record itself — your DNS zone is at your DNS provider. You create a TXT record there. That this is standard practice is shown by large German self-hosters: posteo.de publishes

v=TLSRPTv1; rua=mailto:tlsrpt@posteo.de

and mailbox.org (Heinlein) uses

v=TLSRPTv1;rua=mailto:abuse@heinlein-support.de

You build exactly such a record for your own domain.

Step-by-step guide

1. Set the report destination

A TLS-RPT analysis service presents the JSON reports readably. A normal mailbox works for a start too, but quickly gets unwieldy.

2. Create the TXT record in the DNS zone

  • Hostname: _smtp._tls
  • Value: v=TLSRPTv1; rua=mailto:tlsrpt@beispiel.de

Where you create TXT records depends on the DNS provider — see e.g. Hetzner DNS or Netcup.

3. Together with MTA-STS and DANE

TLS-RPT is the eye, MTA-STS and DANE are the fists. When self-hosting you can set up all three cleanly — TLS-RPT then reports to you whether the enforcement works.

4. Wait until the change is live

DNS changes take a few hours depending on TTL.

The components in detail

ComponentMeaning
v=TLSRPTv1version identifier, always at the start
rua=mailto:...email destination for the daily reports
rua=https://...alternatively an HTTPS endpoint

Verify the result

Check your configuration with the free MXAudit scanner — it shows TLS-RPT together with MTA-STS, DANE, and the transport encryption of your MX.

Or in the terminal:

dig TXT _smtp._tls.example.com +short

Common mistakes

rua to a normal mailbox. Use an analysis service for the machine-readable reports.

TLS-RPT alone. It only reports — enforcement is delivered by MTA-STS and DANE. Without them you have reports, but no protection.

Wrong hostname. _smtp._tls, not _mta-sts.

Further reading