Last updated: July 2026
In short: After this guide your domain publishes a TLS-RPT record, so receiving servers report to you daily on the success or failure of TLS delivery to your domain.
Prerequisites
- A domain that uses Microsoft 365 / Exchange Online as its mail system
- Access to your domain’s DNS management (at the domain host)
What is TLS-RPT?
TLS-RPT (SMTP TLS Reporting, RFC 8460) is a DNS TXT record under _smtp._tls.your-domain. It names an address to which receiving mail servers send daily aggregate reports on TLS delivery to your domain. TLS-RPT itself enforces nothing — it’s the visibility that shows you whether your MTA-STS protection holds in practice.
The starting point at Microsoft 365
As with SPF and DKIM, the record is created not in the Microsoft 365 admin center, but at the domain host. Microsoft does something interesting here: instead of a mailto: address, the Microsoft infrastructure uses an HTTPS report endpoint:
v=TLSRPTv1;rua=https://tlsrpt.azurewebsites.net/report
You’ll find the same record under outlook.com. Both rua variants — mailto: and https: — are permitted by the standard; for most domains, mailto: to an analysis service is the easier route.
Step-by-step guide
1. Set the report address
Choose a destination for the reports — ideally a TLS-RPT analysis service that processes the JSON reports, rather than a normal mailbox.
2. Create the TXT record at the domain host
- Hostname:
_smtp._tls - Value:
v=TLSRPTv1; rua=mailto:tlsrpt@beispiel.de
Where to create TXT records is shown in our host guides, e.g. IONOS or Hetzner DNS.
3. Together with MTA-STS
Combine TLS-RPT with MTA-STS for Microsoft 365: MTA-STS enforces encrypted delivery, TLS-RPT reports to you whether it succeeds.
4. Wait until the change is live
DNS changes take a few hours depending on TTL.
The components in detail
| Component | Meaning |
|---|---|
v=TLSRPTv1 | version identifier, always at the start |
rua=mailto:... | email destination for the daily reports |
rua=https://... | alternatively an HTTPS endpoint (how Microsoft itself does it) |
Verify the result
Check your configuration with the free MXAudit scanner — it shows TLS-RPT in interplay with MTA-STS and transport encryption.
Or in the terminal:
dig TXT _smtp._tls.example.com +short
Common mistakes
rua to a normal mailbox. The reports are machine-readable — use an analysis service.
TLS-RPT without MTA-STS. TLS-RPT only reports. Without MTA-STS there’s no enforcement to report on.
Wrong hostname. _smtp._tls, not _mta-sts.
