Last updated: July 2026
In short: TLS-RPT (SMTP TLS Reporting) delivers automated diagnostic reports detailing failed transport encryption attempts on incoming email. You enable reporting by creating a TXT record on the
_smtp._tlssubdomain inside your one.com Control Panel.
Prerequisites
- A one.com web hosting or email subscription with an attached domain
- Access to the one.com Control Panel
- An email address or monitoring service configured to receive and parse compressed JSON reports
What is TLS-RPT?
TLS-RPT (SMTP TLS Reporting, specified in RFC 8460) is an auditing standard designed for secure transport encryption between mail servers. When external providers (like Microsoft 365 or Gmail) deliver mail to your one.com mail server, they attempt to establish a secure TLS tunnel. If that handshake fails — due to certificate errors, misconfigurations, or active downgrade attacks — TLS-RPT instructs the sending server to generate a diagnostic failure report and send it to you.
As one.com notes regarding DNS configuration options: At one.com you can create the following DNS records. Among these supported record types are TXT records (Are you looking to create an SPF record? Then you need to use a TXT record for this.).
When deploying strict email encryption policies like MTA-STS or DANE, TLS-RPT is essential for monitoring delivery stability and identifying potential security anomalies.
The starting point at one.com
You configure the required record right inside your domain’s DNS settings table (At one.com you can create the following DNS records).
The reporting policy is published as a TXT record attached to the technical subdomain _smtp._tls. The canonical structure of the record is:
v=TLSRPTv1; rua=mailto:tls-reports@example.com
Step-by-step guide
1. Check whether a TLS-RPT policy is already active
Use your terminal to see if your domain currently serves a reporting record:
dig TXT _smtp._tls.example.com +short
If the returned output starts with v=TLSRPTv1;, a reporting policy exists. If the response is blank, continue to create a new record.
2. Open DNS settings inside Control Panel
Log in to your one.com Control Panel and open the Advanced settings tile to access your domain’s DNS settings.
3. Add the TXT record for _smtp._tls
In your domain’s DNS management area, add a new entry with the following configuration:
- Type: TXT (
Under create new record, click TXT.) - Hostname:
_smtp._tls(unlike root records where the field stays empty:The @-sign is often used in the hostname field to indicate that the record should be created on the domain root. At one.com you can just leave the field empty.) - Value / Text:
v=TLSRPTv1; rua=mailto:tls-reports@example.com
(Replace tls-reports@example.com with the email address where you want to collect diagnostic reports).
- TTL: Keep the default setting (
Default = 3600 = 1 hour)
Save your new DNS record.
The components of the TLS-RPT record
| Component | Meaning |
|---|---|
_smtp._tls | Dedicated subdomain queried by external mail servers for your TLS reporting instructions |
v=TLSRPTv1 | Protocol version tag (must strictly be placed at the very beginning of the TXT string) |
rua=mailto:... | Target URI specifying where daily compressed JSON reports (.json.gz) will be delivered |
Verification
After saving your record inside one.com’s DNS settings, immediately test your configuration using the free MXAudit scanner — check your TLS-RPT syntax and ensure your reporting endpoint is correctly formatted.
You can also use your terminal to confirm that nameservers are serving your new record:
dig TXT _smtp._tls.example.com +short
The output should show exactly "v=TLSRPTv1; rua=mailto:tls-reports@example.com".
Common mistakes
- Placing the record on root (
@): If you leave the hostname blank (The @-sign is often used in the hostname field to indicate that the record should be created on the domain root. At one.com you can just leave the field empty.) instead of specifying the_smtp._tlssubdomain, external mail servers will not discover your reporting instructions. - Omitting the
mailto:scheme: Therua=attribute requires themailto:URI prefix right before your email address. Missing this prefix makes the record invalid. - Directing reports to a personal inbox: Diagnostic reports arrive daily as compressed JSON/GZIP attachments. Send these reports to a dedicated reporting inbox or automated processing dashboard to keep your main inbox clean.
Further reading
- one.com Help — Manage your DNS settings (retrieved: July 17, 2026)
- RFC 8460 — SMTP TLS Reporting (TLS-RPT)
