Email TLS-RPT: Get visibility into TLS failures (and fix them)

November 27, 2025 • February 3, 2026 • Read: 23 min • Views: 12

Was this helpful?

You can run a perfectly healthy mail server and still lose mail—or silently lose transport security—because someone else’s TLS is broken, your DNS is stale, or an “enterprise security box” is doing uninvited things to SMTP.
And you won’t know. SMTP is polite like that. It fails quietly, retries patiently, and tells you very little unless you go looking.

TLS-RPT changes the game: it turns “maybe TLS negotiated?” into concrete, structured telemetry. You get daily reports from senders about what went wrong when they tried to deliver mail to you over TLS.
It’s observability for email transport. Finally.

What TLS-RPT actually is (and what it is not)

TLS-RPT (Transport Layer Security Reporting) is a standard that lets email senders report to a domain owner when they had trouble delivering mail to that domain over TLS.
The key phrase is “when they had trouble”: it’s failure reporting, not a security feature by itself.

You publish a DNS record telling the world where to send reports. Then large senders (and any sender that supports it) will send you periodic (usually daily) JSON reports.
Those reports describe attempts to deliver mail to your MX hosts and why TLS didn’t work as expected.

What it is not

Not encryption enforcement. TLS-RPT doesn’t force anyone to use TLS. That’s MTA-STS (policy-based) or DANE (DNSSEC-based).
Not message content security. It’s about the SMTP transport hop, not end-to-end encryption like S/MIME or PGP.
Not instant. Most reports are batch-delivered. You get signal, but not a live pager event.

Think of TLS-RPT like smoke alarms: they don’t prevent fires, but they tell you where the smoke is.

Why you should care (even if you “already have TLS”)

“We use STARTTLS” is the email equivalent of “we have backups.” Great. Now show me a restore test.
STARTTLS is opportunistic by default: if TLS fails, many senders will fall back to plaintext unless policy says otherwise.
Without telemetry, you can be downgraded and never know. Or you can break inbound delivery for a subset of senders and only find out when someone misses a contract renewal email.

TLS-RPT gives you:

Visibility into real failures across the ecosystem: certificate problems, name mismatches, protocol versions, cipher issues, SMTP banner weirdness, network timeouts, and policy mismatches.
Evidence for debugging with third parties: “Your reports show you’re failing validation against mx2; here’s the failure type and time window.”
Early warning when someone changes something: a new load balancer, a new cert chain, a broken intermediate, a DNS change, a firewall rule.
Security detection for downgrade or interception patterns: if lots of senders suddenly report failures that previously didn’t exist, something is in the path.

Joke #1: Email is the oldest distributed system many companies run. It ages like wine—if the wine occasionally catches fire.

Facts and small history that matter in production

Short, concrete context points that change how you operate this:

SMTP predates ubiquitous encryption by decades. STARTTLS was retrofitted, which is why “opportunistic TLS” is a default cultural norm.
TLS-RPT was standardized in 2018 (RFC 8460), largely to make MTA-STS operationally viable at Internet scale.
MTA-STS arrived because STARTTLS downgrade was real in practice: attackers could strip the STARTTLS advertisement or induce failures to force plaintext fallback.
DANE existed earlier (TLSA records with DNSSEC), but adoption is uneven because DNSSEC deployment and operational comfort vary wildly across orgs.
Big mailbox providers drove adoption of reporting formats because they needed low-friction signals at high volume, not hand-crafted tickets.
TLS reports are about delivery attempts, not your MTA logs. That means they catch failures that never touch your infrastructure (e.g., network blocks or TLS negotiation errors before SMTP DATA).
Reports are aggregated: you’ll see totals and failure types, not per-message forensic detail. This is a feature, not a bug.
Reports can reveal ecosystem drift: old TLS versions and legacy ciphers still show up in the long tail, especially with appliances and ancient MTAs.

How TLS-RPT works end-to-end

The moving parts

Your domain: publishes a TLS-RPT DNS record at _smtp._tls.
Senders: MTAs attempting delivery to your MX hosts. If they support TLS-RPT, they collect failure telemetry.
Your report receiver: an email address (or HTTPS endpoint) that receives JSON reports, often compressed and attached.
Optional enforcement policy: MTA-STS policy (_mta-sts + HTTPS policy file) or DANE TLSA records. TLS-RPT becomes dramatically more useful when something is enforced.

The lifecycle

You publish _smtp._tls.example.com TXT with a v=TLSRPTv1 record pointing to where reports should go.
A sender tries to deliver to example.com, negotiates STARTTLS, and checks whatever policies it honors (MTA-STS, DANE, local rules).
If the sender can’t establish TLS when expected, or if a policy validation fails (e.g., cert mismatch vs MTA-STS expectations), it records the event.
Periodically, the sender sends you a report describing success/failure counts and failure reasons, bucketed by destination and result types.
You ingest it into something searchable (even if it’s “a mailbox plus a script”). Then you decide: fix your config, fix your DNS, fix your cert chain, or open a ticket with a network/security team.

Why this is operational gold

SMTP failures are often asymmetric. Your logs may show nothing because the connection never reached you, or it died before your MTA wrote a meaningful entry.
TLS-RPT gives you the sender’s perspective. In distributed systems, that’s half the truth you usually miss.

Quote (paraphrased idea): Werner Vogels, on operations, often emphasizes building systems that “embrace failure” and make it observable.
TLS-RPT is that philosophy applied to mail transport.

DNS records you will publish (with sane defaults)

TLS-RPT TXT record basics

The record lives at _smtp._tls.<domain>. It’s a TXT record whose value begins with v=TLSRPTv1 and includes one or more report URIs via rua=.
Commonly you use mailto: because it’s easy and interoperable.

Example records

Minimal mailto:

cr0x@server:~$ dig +short TXT _smtp._tls.example.com
"v=TLSRPTv1; rua=mailto:tlsrpt@example.com"

Multiple recipients (useful during rollout):

cr0x@server:~$ dig +short TXT _smtp._tls.example.com
"v=TLSRPTv1; rua=mailto:tlsrpt@example.com,mailto:mailops@example.net"

HTTPS endpoint (harder to run correctly, but automatable):

cr0x@server:~$ dig +short TXT _smtp._tls.example.com
"v=TLSRPTv1; rua=https://tlsrpt-api.example.com/v1/report"

Hard-earned opinions

Start with mailto unless you have a strong reason not to. HTTPS endpoints need authentication decisions, rate limiting, storage, and a security review. Mailto needs a mailbox and hygiene.
Use a dedicated alias like tlsrpt@ that goes to a ticketing system or a monitored mailbox, not someone’s personal inbox.
Don’t publish TLS-RPT without at least baseline TLS hygiene. You’ll get reports, but they’ll be noise until you fix obvious issues (bad chains, wrong names, old protocols).

What the reports contain and how to read them

TLS-RPT reports are JSON documents describing:

Report metadata: organization name of reporter, report date range.
Policies evaluated: things like “no-policy-found” or “sts” with details.
Results: counts of successes and failures, plus failure types such as TLS negotiation failure, certificate validation failure, or policy mismatch.
Endpoints: destination MX hosts and IPs the sender attempted.

What you should look at first

Spike detection: did failures jump relative to the prior day?
Concentration: is it one MX host, one IP, one region, one sender?
Failure class: handshake/protocol vs certificate/PKI vs policy.
Consistency: do multiple reporters agree? One sender failing can be their bug. Many failing is usually you (or the network between).

Interpreting common failure themes

Certificate name mismatch: your MX hostname doesn’t match the cert, or you’re presenting the wrong cert on one node.
Unknown CA / untrusted chain: missing intermediates or an enterprise cert chain presented accidentally.
TLS version alerts: some senders won’t use old TLS versions; others can’t use new-only configs.
Policy mismatches: MTA-STS says “enforce,” but your server doesn’t meet the requirements.
Connection failures: firewalling, routing, grey failures, or load balancer health checks lying.

Joke #2: TLS debugging is like archaeology. You brush away layers until you find a perfectly preserved mistake from three years ago.

Fast diagnosis playbook

When you see TLS-RPT failures, resist the urge to start changing cipher suites like you’re shaking a vending machine.
Triage first. Fix second.

First: scope the blast radius

Is it one destination MX or all?
Is it one sending org or many?
Is it one IP behind a load balancer?
Did it start after a deploy, cert rotation, DNS change, or firewall change?

Second: classify the failure

Handshake failures: protocol version, cipher mismatch, STARTTLS stripped, timeouts.
PKI failures: chain, expiration, hostname mismatch, revocation behavior.
Policy failures: MTA-STS mismatch, DANE mismatch, “no policy” when you expected one.
Network failures: TCP/25 reachability, asymmetric routing, NAT hairpins, IDS interference.

Third: reproduce from the outside

Test STARTTLS with openssl s_client against each MX host and each IP.
Verify DNS resolution and MX ordering from multiple resolvers.
Check what cert is actually presented per node (load balancers love partial rollouts).
If MTA-STS is involved, confirm policy file reachability and correctness.

Fourth: decide what to change

If you can’t reproduce externally, suspect a sender-side policy or validation difference.
If it’s only one IP, drain it and fix config drift.
If it’s chain-related, fix the served chain before rotating the leaf cert again (rotating the leaf won’t fix missing intermediates).
If it’s timeouts, look at firewall and load balancer idle/handshake timers.

Practical tasks: commands, outputs, and decisions

These are the tasks I actually run when TLS-RPT starts screaming. Each includes: command, what the output means, and the decision you make.
Assume Linux tooling and a typical Postfix-ish world; adapt as needed.

Task 1: Confirm the TLS-RPT record exists and is exactly what you think

cr0x@server:~$ dig +short TXT _smtp._tls.example.com
"v=TLSRPTv1; rua=mailto:tlsrpt@example.com"

What it means: Senders know where to send reports, and your record parses.

Decision: If it’s missing or malformed, fix DNS first. No record, no reports, no visibility.

Task 2: Check MX records and spot split-horizon or stale changes

cr0x@server:~$ dig +short MX example.com
10 mx1.example.com.
20 mx2.example.com.

What it means: Delivery targets are predictable and ordered.

Decision: If an unexpected MX shows up, or priorities changed, reconcile with your intended design and your TLS policy assumptions.

Task 3: Resolve each MX to all A/AAAA records (multi-IP drift is common)

cr0x@server:~$ dig +short A mx1.example.com
203.0.113.10
203.0.113.11

What it means: You have multiple frontends behind one MX name.

Decision: Test TLS against each IP. One bad node can poison your reputation and your delivery.

Task 4: Validate TCP/25 reachability from where you are

cr0x@server:~$ nc -vz mx1.example.com 25
Connection to mx1.example.com 25 port [tcp/smtp] succeeded!

What it means: Basic connectivity exists from this vantage point.

Decision: If this fails, stop blaming TLS. You have a routing/firewall/provider issue or you’re testing from a network that blocks outbound 25.

Task 5: Speak SMTP and verify STARTTLS is advertised

cr0x@server:~$ printf "EHLO test.example\r\nQUIT\r\n" | nc -w 3 mx1.example.com 25
220 mx1.example.com ESMTP
250-mx1.example.com
250-PIPELINING
250-SIZE 52428800
250-STARTTLS
250 HELP
221 Bye

What it means: Server offers STARTTLS, so opportunistic TLS is possible.

Decision: If STARTTLS is missing unexpectedly, check MTA config, TLS offload settings, and any SMTP proxies in front.

Task 6: Do a STARTTLS handshake and inspect the presented certificate

cr0x@server:~$ openssl s_client -starttls smtp -connect mx1.example.com:25 -servername mx1.example.com -showcerts

CONNECTED(00000003)
depth=2 C=US, O=Example Root CA, CN=Example Root CA G2
verify return:1
depth=1 C=US, O=Example Issuing CA, CN=Example Issuing CA R3
verify return:1
depth=0 CN=mx1.example.com
verify return:1
---
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
---
250 2.0.0 Ready to start TLS

What it means: TLS negotiates, chain verifies, SNI works, and your endpoint is serving the expected cert.

Decision: If verification fails (unknown CA, unable to get local issuer, hostname mismatch), fix your served chain and certificate selection on that specific node or load balancer.

Task 7: Check certificate validity dates (avoid “surprise” expiry)

cr0x@server:~$ echo | openssl s_client -starttls smtp -connect mx1.example.com:25 -servername mx1.example.com 2>/dev/null | openssl x509 -noout -dates -subject
notBefore=Dec  1 00:00:00 2025 GMT
notAfter=Mar  1 23:59:59 2026 GMT
subject=CN = mx1.example.com

What it means: The cert is currently valid and has a clear expiry timeline.

Decision: If expiry is near, schedule rotation early. TLS-RPT will tell you about breakage after the fact; you want to prevent it.

Task 8: Confirm the full certificate chain served (missing intermediate is classic)

cr0x@server:~$ echo | openssl s_client -starttls smtp -connect mx1.example.com:25 -servername mx1.example.com -showcerts 2>/dev/null | awk '/BEGIN CERTIFICATE/{i++} {print > ("cert" i ".pem")}'

cr0x@server:~$ for f in cert*.pem; do echo "== $f =="; openssl x509 -noout -subject -issuer < "$f"; done
== cert1.pem ==
subject=CN = mx1.example.com
issuer=C=US, O=Example Issuing CA, CN=Example Issuing CA R3
== cert2.pem ==
subject=C=US, O=Example Issuing CA, CN=Example Issuing CA R3
issuer=C=US, O=Example Root CA, CN=Example Root CA G2

What it means: You’re serving at least leaf + intermediate. Good.

Decision: If you only see the leaf, fix the MTA or TLS terminator to serve the chain. Many senders won’t fetch intermediates reliably.

Task 9: Verify what ciphers/protocols your SMTP endpoint supports (and if you cut off legacy senders)

cr0x@server:~$ nmap --script ssl-enum-ciphers -p 25 mx1.example.com
Starting Nmap 7.94 ( https://nmap.org ) at 2026-01-03 10:11 UTC
Nmap scan report for mx1.example.com (203.0.113.10)
PORT   STATE SERVICE
25/tcp open  smtp
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|   TLSv1.3:
|     ciphers:
|       TLS_AES_256_GCM_SHA384 - A
|_  least strength: A

What it means: You support modern TLS. Good security posture.

Decision: If your business requires legacy interoperability, consider whether dropping TLSv1.0/1.1 caused real delivery failures. Use TLS-RPT to quantify before loosening.

Task 10: On Postfix, confirm the runtime TLS settings are what you intended

cr0x@server:~$ postconf -n | egrep '(^smtpd_tls_|^smtp_tls_|^smtpd_tls_security_level|^smtp_tls_security_level)'
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/letsencrypt/live/mx1.example.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mx1.example.com/privkey.pem
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_loglevel = 1

What it means: Inbound TLS is offered (may), cert paths are set, and old protocols are disabled.

Decision: If smtpd_tls_cert_file points to the wrong file on one host, you’ll get TLS-RPT failures concentrated to that IP. Fix drift; don’t argue with math.

Task 11: Check mail logs for TLS handshake errors on the server side

cr0x@server:~$ sudo grep -E 'TLS|STARTTLS|SSL_accept|handshake' /var/log/maillog | tail -n 10
Jan 03 10:01:44 mx1 postfix/smtpd[22131]: Anonymous TLS connection established from mail-oi1-f180.google.com[209.85.167.180]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384
Jan 03 10:02:09 mx1 postfix/smtpd[22155]: warning: TLS library problem: error:0A000126:SSL routines::unexpected eof while reading

What it means: You have at least one handshake abnormality. “Unexpected EOF” often indicates middleboxes or clients aborting.

Decision: If TLS-RPT shows many failures from multiple senders and you see server-side handshake errors, investigate network devices (firewalls/IDS) and rate limits.

Task 12: Confirm which certificate file your TLS terminator is actually using (Nginx/HAProxy style)

cr0x@server:~$ sudo haproxy -c -f /etc/haproxy/haproxy.cfg
Configuration file is valid

What it means: At least the config parses. That’s the floor, not the ceiling.

Decision: If TLS-RPT points to a cert mismatch, verify the per-frontend crt file paths and reload behavior. Partial reloads create “some clients fail” chaos.

Task 13: Validate MTA-STS DNS presence (if you claim to enforce TLS)

cr0x@server:~$ dig +short TXT _mta-sts.example.com
"v=STSv1; id=20260103T001"

What it means: You have an MTA-STS policy version id published.

Decision: If TLS-RPT says “no policy found” but you expect enforcement, your DNS record is missing, wrong, or not visible publicly.

Task 14: Check the MTA-STS policy file is reachable and correct

cr0x@server:~$ curl -sS -D- https://mta-sts.example.com/.well-known/mta-sts.txt | sed -n '1,25p'
HTTP/2 200
content-type: text/plain
content-length: 128

version: STSv1
mode: enforce
mx: mx1.example.com
mx: mx2.example.com
max_age: 86400

What it means: Policy is reachable over HTTPS, and it names your MX hosts.

Decision: If this 404s, redirects strangely, or lists the wrong MX names, fix it immediately. Otherwise senders enforcing MTA-STS will treat you as “TLS required but not satisfiable.”

Task 15: Check for DNSSEC/DANE posture (if you use it) and avoid half-configurations

cr0x@server:~$ dig +short TLSA _25._tcp.mx1.example.com
3 1 1 aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899

What it means: A TLSA record exists for SMTP on port 25 to mx1.

Decision: If you publish TLSA without reliable DNSSEC, you can create confusing failures for validating senders. Either do it correctly, or don’t do it at all.

Task 16: Decompress and inspect a TLS-RPT JSON report attachment you received

cr0x@server:~$ ls -1
tlsrpt-report-2026-01-02.json.gz

cr0x@server:~$ gzip -dc tlsrpt-report-2026-01-02.json.gz | head -n 30
{
  "organization-name": "Example Sender",
  "date-range": {
    "start-datetime": "2026-01-02T00:00:00Z",
    "end-datetime": "2026-01-03T00:00:00Z"
  },
  "report-id": "abc123",
  "policies": [
    {
      "policy": {
        "policy-type": "sts",
        "policy-string": [
          "version: STSv1",
          "mode: enforce"
        ],
        "mx-host": [
          "mx1.example.com",
          "mx2.example.com"
        ]
      },
      "summary": {
        "total-successful-session-count": 984,
        "total-failure-session-count": 27
      }
    }
  ]
}

What it means: The report confirms it evaluated STS policy and counted successes vs failures.

Decision: Drill into the failure details. If failures are non-zero under enforce, treat it as an incident: some mail might be deferred or bounced.

Three corporate mini-stories from the trenches

1) Incident caused by a wrong assumption: “The load balancer presents the same cert everywhere”

A mid-sized SaaS company ran two MX hosts behind a regional load balancer. The team had a clean rotation process for web certificates and assumed mail was “the same thing.”
In their mental model, SMTP was just another TCP service with TLS and a cert. Rotate the cert bundle centrally, reload the balancer, done.

Then TLS-RPT reports started coming in: several big senders reported “certificate validation failure” for one MX host, but not the other.
The on-call looked at the primary region, tested STARTTLS from their laptop, and it worked. They closed the ticket as “sender-side flake.”

The next day, the failure count doubled. The pattern was weird: some senders succeeded, some failed, and it wasn’t correlated to time of day.
TLS-RPT had the answer in plain sight: failures were pinned to one destination IP, not the MX name. The load balancer had a stale backend node still serving an old chain missing an intermediate.

The wrong assumption was subtle: they believed “the balancer terminates TLS, so backend nodes don’t matter.” In reality, they had TLS pass-through for SMTP to preserve client IPs.
The balancer was a fancy router, not a TLS endpoint. One backend had an outdated fullchain.pem.

The fix was boring: unify cert deployment, enforce config management on mail nodes, and add an external STARTTLS check per IP.
TLS-RPT didn’t just report a failure; it provided the topology clue that server logs didn’t, because most failing connections never made it to the node they were tailing.

2) Optimization that backfired: “Drop TLSv1.2 to reduce CPU and simplify policy”

An enterprise IT group decided to “modernize” their mail perimeter. They saw TLSv1.3 usage rising and wanted to simplify configurations, reduce cipher list sprawl, and align with internal standards.
Someone proposed: disable TLSv1.2 entirely on inbound SMTP. Less negotiation, less complexity, fewer attack surfaces.

On paper, this looked clean. In a lab, modern MTAs negotiated TLSv1.3 instantly. CPU graphs were slightly nicer. The security team gave a thumbs up.
The change went live on Friday afternoon, because of course it did.

Monday morning: a handful of business partners couldn’t email them. Not everyone. Just enough to cause executive annoyance.
Their own mail logs showed fewer inbound connections than normal, but not a smoking gun. The MTAs that couldn’t negotiate simply didn’t deliver.

TLS-RPT reports arrived the next day with a consistent failure class: negotiation failures, clustered by a set of partner orgs and older MTAs.
Those partners weren’t “insecure” in a malicious sense; they were just behind appliances that hadn’t learned TLSv1.3 yet.

The team re-enabled TLSv1.2, kept weak ciphers disabled, and put a deadline-based plan in place: track who still needs TLSv1.2, notify them, and measure the tail shrinking.
The optimization wasn’t wrong in spirit. It was wrong in sequencing. TLS-RPT turned a political argument into a measurable migration.

3) Boring but correct practice that saved the day: “Test STARTTLS on every IP, every day”

A finance company treated mail like a regulated system. Not glamorous, but consistent. They had MTA-STS in enforce mode and a TLS-RPT mailbox that fed into a small parser.
The parser didn’t do machine learning. It counted failures and alerted when they crossed a threshold.

One night, a firewall team pushed a ruleset update. It wasn’t aimed at mail. It was aimed at “unknown inbound services.”
TCP/25 stayed open, but the new inspection profile started terminating connections that negotiated TLSv1.3 with certain extensions.

Their daily external checks caught it immediately: STARTTLS worked on one IP, failed on another, and the failure correlated exactly with the firewall cluster boundary.
TLS-RPT reports the next day confirmed it from multiple senders: handshake failures concentrated to the same IP range.

Because they had a boring, correct practice—synthetic checks per IP plus TLS-RPT trend alerts—they had a clean incident narrative and a quick rollback request.
The firewall team reverted the profile, mail flowed, and nobody had to guess whether this was “a Google problem.”

The moral isn’t “firewalls bad.” It’s “assume your network can change behavior silently, then instrument accordingly.”
TLS-RPT is instrumentation you get from the outside world, which is exactly where your users live.

Common mistakes: symptom → root cause → fix

1) Reports show “certificate validation failure” for only one MX host

Symptom: Failures are concentrated to mx2 or a single IP behind it.

Root cause: Cert deployment drift, wrong SNI mapping, or one node serving an incomplete chain.

Fix: Test each A/AAAA target with openssl s_client, then standardize cert paths and reload behavior across nodes.

2) Reports show “no policy found” but you believe MTA-STS is enabled

Symptom: Reporters say they didn’t find STS; you expected “sts” policy evaluation.

Root cause: Missing _mta-sts TXT record, wrong subdomain, or DNS not publicly visible due to split-horizon.

Fix: Verify dig TXT _mta-sts.example.com from a public resolver perspective and ensure it matches the domain used by recipients.

3) Reports show “policy validation failure” after a benign DNS change

Symptom: STS enforce mode starts failing right after MX changes.

Root cause: MTA-STS policy file still lists old MX names, or you changed MX priority/hostname without updating policy.

Fix: Update the policy file (mx: lines), bump the policy id in _mta-sts, and validate HTTPS fetch works.

4) Sudden spike in “TLS negotiation failure” across many senders

Symptom: Many reporters, many failures, starting in the same window.

Root cause: Firewall/IDS changes, load balancer bug, or you disabled TLSv1.2 and cut off older senders.

Fix: Reproduce from outside, compare per-IP behavior, review network change logs. If you hardened protocols, roll back and migrate gradually.

5) You get no reports at all

Symptom: TLS-RPT mailbox stays empty for weeks.

Root cause: No TLS-RPT record, record malformed, mailbox rejects large attachments, or you’re expecting every sender on Earth to support it.

Fix: Confirm DNS record, ensure the mailbox accepts the report format/size, and verify at least one major sender is in your inbound mix.

6) Reports arrive but are useless “noise”

Symptom: Many failure types with small counts; you can’t decide what matters.

Root cause: You’re looking at raw reports without aggregation, baselines, or per-destination grouping.

Fix: Build a minimal pipeline: decompress JSON, group by MX/IP/failure-type, alert on deltas not absolutes.

7) Enabling MTA-STS enforce causes delivery deferrals

Symptom: Some senders defer/bounce because policy says “must use TLS” and they can’t validate it.

Root cause: Your TLS posture isn’t actually consistent: name mismatch, bad chain, intermittent failures, policy lists wrong MX, or HTTPS policy endpoint flaky.

Fix: Run in mode: testing first, fix failures using TLS-RPT, then switch to enforce when stable.

Checklists / step-by-step plan

Phase 1: Get reports flowing (1–2 days)

Create a dedicated mailbox: tlsrpt@yourdomain. Route it to a monitored queue (ticketing system or shared mailbox).
Publish TLS-RPT TXT: _smtp._tls.yourdomain with v=TLSRPTv1; rua=mailto:....
Confirm DNS from outside your network (multiple resolvers, not just your internal one).
Confirm the mailbox accepts attachments and doesn’t silently drop automated emails.

Phase 2: Establish a baseline (first week)

Collect reports for 7 days without changing anything. You’re building a baseline, not winning a beauty contest.
Aggregate by destination MX name, destination IP, and failure type.
Identify the top 1–3 failure categories. Ignore the long tail until the top is fixed.
Run external STARTTLS checks against each MX IP daily.

Phase 3: Fix systematically (ongoing)

Fix certificate chain and name mismatches first. They’re high-impact and deterministic.
Fix policy alignment next: ensure MTA-STS policy matches current MX inventory, and that the HTTPS endpoint is stable.
Tune protocols/ciphers carefully. Use TLS-RPT to measure compatibility impact before and after.
When stable, consider MTA-STS mode: enforce if your threat model and business justify it.

Phase 4: Make it operational (so it survives staff turnover)

Create an on-call runbook with the “Fast diagnosis playbook” above.
Add alerts: failure-rate delta by MX/IP, and “new failure type appeared.”
Track certificate expiry for mail endpoints like you do for web endpoints.
Review TLS-RPT weekly in change management meetings. The goal is to catch regressions, not admire graphs.

FAQ

1) Do I need MTA-STS to use TLS-RPT?

No. TLS-RPT stands alone. But it’s more valuable when you also publish an enforcement policy (MTA-STS or DANE), because failures become actionable and security-relevant.

2) Will TLS-RPT tell me if a message was delivered in plaintext?

It reports on failures to negotiate TLS or to meet policy expectations. It won’t give you per-message guarantees, and it won’t enumerate plaintext deliveries unless policy required TLS and it failed.

3) Why do I see failures from only one sender?

Different senders validate differently. Some are strict about chains, some cache STS policies differently, some have network paths that hit your bad node. Use per-IP testing to rule out your side first.

4) Are TLS-RPT reports safe to receive by email?

Mostly, yes, but treat them as untrusted input. They are machine-generated attachments and can be large. Store them safely, limit mailbox exposure, and sanitize before parsing.

5) Should I use an HTTPS endpoint instead of mailto?

If you already run reliable ingestion infrastructure and want automation, HTTPS can be great. If you don’t, mailto is the pragmatic choice. Don’t build a fragile webhook for a system you rarely check.

6) How quickly will I start getting reports after publishing the DNS record?

Typically within a day or two, depending on sender cadence and DNS TTLs. It’s not real-time telemetry; it’s scheduled reporting.

7) Does TLS-RPT help detect downgrade attacks?

It can. If you have MTA-STS enforce (or DANE) and suddenly see widespread TLS negotiation failures, that pattern can indicate interference. It’s not proof, but it’s strong signal.

8) What’s the single most common root cause behind TLS-RPT failures?

Certificate problems—especially incomplete chains and mismatches on one node behind an MX name. Infrastructure drift is undefeated.

9) Can TLS-RPT break my mail flow?

No. Publishing a TLS-RPT record only asks for reports. Enforcement decisions come from MTA-STS or DANE, not TLS-RPT.

10) How do I prioritize fixes when reports show many failure types?

Sort by impact: failures that affect many senders or one high-volume sender first, then failures tied to one MX/IP (quick wins), then policy tuning, then protocol hardening.

Conclusion: next steps that actually reduce risk

TLS-RPT is one of those rare email standards that feels like it was designed by people who’ve been paged at 2 a.m.
It won’t magically secure SMTP, but it will stop you from operating blind.

Publish _smtp._tls with a dedicated tlsrpt@ mailbox.
Within a week, aggregate reports by MX/IP/failure type and establish a baseline.
Fix deterministic problems first: chain, name mismatch, per-node drift.
If you run MTA-STS, validate the HTTPS policy path and keep it synchronized with MX changes.
Automate two things: per-IP STARTTLS synthetic checks and alerting on failure deltas in TLS-RPT.

You don’t need perfection. You need feedback loops. TLS-RPT gives you one from the outside world—the world your mail actually has to cross.