TLS reporting record generator
Generate an RFC 8460 TLS-RPT DNS TXT record so you can receive SMTP TLS reports.
Guide
What this tool is for and how to use it
Use this TLS reporting record generator to create a DNS TXT value for SMTP TLS reports.
What you will publish
TLS reporting records are published at and include:
version tagreport destinations (mailto or HTTPS endpoint)
Example format:
Deployment checklist
- Generate and publish the DNS record
- Wait for DNS propagation
- Validate with the TLS reporting checker
- Pair with MTA-STS for enforcement
Operating guidance
Send reports to a mailbox or endpoint that is reviewed regularly. TLS-RPT only helps when report volume is triaged and compared with recent provider, certificate, and DNS changes. Pairing it with MTA-STS gives both visibility and policy control.
Common implementation pattern
Most teams start with one monitored mailbox such as , publish the record, and confirm that aggregate reports arrive after providers attempt delivery. Once reports are flowing, they usually route them into a shared operations mailbox, ticket queue, or security workflow so certificate, MX, and policy regressions are visible to the people who can fix them.
Before publishing
- Confirm the destination mailbox or HTTPS endpoint is active
- Check that your DNS host accepts TXT records at the
subdomain - Use a short TTL during rollout so updates can be corrected quickly
- Re-check the published record after propagation with the TLS reporting checker