TLSRPT is used to send back feedback reports about TLS connections made while sending E-Mail. It's used to gain insight on the implementation of MTA-STS and or DANE. In praxis, many reporting organisations require a valid MTA-STS policy ("testing", "enforce" or "none"), before any reports are sent.

MTA-STS was introduced in RFC 8461, which states that MTA-STS is intended to be used along with TLSRPT (RFC 8460). It doesn't include the recommendation to send reports, but MTA-STS compliant MTAs should be able to receive and process TLSRPT reports at least.

Configuring TLSRPT

TLSRPT is configured with a DNS record on a specific subdomain of your organisational domain, which includes the connection protocol. A TLSRPT record for E-Mail connections looks like this:

$ host -t txt _smtp._tls.senderdomain.TLD
_smtp._tls.senderdomain.TLD descriptive text "v=TLSRPTv1; rua=mailto:tlsrpt@dmarc.example.com;"

Reports about successful and failed TLS connections is sent to the address in the rua-switch. TLSRPT reports provide information about:

• Volume / Reporting organisations
• TLS successes and failures
• Information about policies used (MTA-STS, TLSA, DANE, etc.)

TLS reports with InboxSys

This document from ECO explains in detail how to monitor DMARC reports with several open source tools. On request, InboxSys hosts a DMARC monitor consisting of Parsedmarc, Elasticsearch and a Kibana dashboard. The latest version of our hosted Parsedmarc package contains reporting monitors for DMARC and TLSRPT.

Useful links

• RFC 8460: TLSRPT RFC
• RFC 8461: MTA-STS RFC
• InboxSys DMARC Monitor
• wikipedia:Opportunistic_TLS