Last updated: July 2026
In short: After this guide your domain at Netcup publishes a TLS-RPT record and receives daily reports on encrypted delivery.
Prerequisites
- A domain in the Customer Control Panel (CCP)
- A destination for the reports (analysis service or mailbox)
What is TLS-RPT?
TLS-RPT (SMTP TLS Reporting, RFC 8460) is a DNS TXT record under _smtp._tls.your-domain. Receiving servers send daily aggregate reports on TLS delivery to the address named there. It enforces nothing — it shows you whether your MTA-STS protection works.
Step-by-step guide
1. Set the report address
A TLS-RPT analysis service processes the JSON reports.
2. Create the TXT record in the CCP
In the CCP under Domains, click the magnifying glass icon next to the domain and switch to the DNS tab. Create:
| Field | Value |
|---|---|
| Host | _smtp._tls |
| Type | TXT |
| Destination | v=TLSRPTv1; rua=mailto:tlsrpt@beispiel.de |
3. Together with MTA-STS
Combine TLS-RPT with MTA-STS at Netcup.
4. Wait until the change is live
DNS changes take a few hours depending on TTL.
Verify the result
Check your configuration with the free MXAudit scanner.
dig TXT _smtp._tls.example.com +short
Common mistakes
rua to a normal mailbox. Use an analysis service.
TLS-RPT without MTA-STS. It only reports; enforcement is delivered by MTA-STS.
Wrong hostname. _smtp._tls, not _mta-sts.
Further reading
- Netcup Helpcenter: DNS Records (web hosting) (retrieved: July 10, 2026)
- RFC 8460 — SMTP TLS Reporting
