Back to Course
Լight modeDark mode

What is TLS-RPT?

The DNS Lookup Limit

TLS Reporting (TLS-RPT) is a standard for reporting email delivery issues that occur when an email isn’t encrypted with TLS. It supports the MTA-STS protocol which is used to guarantee that any email sent to your domain gets TLS encrypted.

TLS encryption ensures that every email sent to you gets delivered securely. However, an attacker might attempt an SMTP downgrade, a type of attack where the email gets sent to you without being encrypted, allowing them to read or tamper with the contents. MTA-STS combats this by making it necessary for all emails to be encrypted before being sent to you. If an attacker tries to perform an SMTP downgrade, the email will not be sent at all.

TLS-RPT makes it possible for you, the domain owner, to receive reports on every email that doesn’t get encrypted and fails to be sent to you. You can then identify the source of the problem and fix your delivery issues.

How Does TLS-RPT Work?

  • TLS reporting (TLS-RPT) is used to support the MTA-STS protocol, which ensures emails are encrypted before being delivered. Normally, your email server or Mail Transfer Agent (MTA) negotiates with the receiving server to see if it supports the STARTTLS command. If it does, the email gets encrypted with TLS and gets delivered to the receiving MTA.
  • An attacker might attempt an SMTP downgrade attack at this point, which involves blocking the negotiation between the sending and receiving MTAs. The sending server thinks the receiver doesn’t support the STARTTLS command and sends the email without TLS encryption, allowing the attacker to view or tamper with the email’s contents.
  • When you implement MTA-STS in your domain, it makes it mandatory for your sending server to always encrypt messages before sending them. If an attacker attempts an SMTP downgrade attack, the email will simply not be sent. This ensures TLS encryption on all your emails without fail.


  • TLS reporting (TLS-RPT) is a protocol that will notify you, the domain owner when emails sent through your domain face issues with delivery. If an email fails to be sent due to an SMTP downgrade or some other issue, you will receive a report in a JSON file format containing the details of the email that failed. This report does not contain the contents of the email.
Course content
Email Authentication Fundamentals