Guidance

Using TLS Reporting (TLS-RPT) in your organisation

Updated 15 March 2021

TLS Reporting (TLS-RPT) is a protocol that allows a domain to advertise a destination for sending email services to report the success or failure of encryption in transit.

TLS-RPT works alongside protocols that enforce TLS, such as Mail Transfer Agent Strict Transport Security (MTA-STS) and DNS-based Authentication of Named Entities (DANE).

You publish a DNS record telling people where to send TLS-RPT reports. Sending email services check for the record, and if one exists they will send a report to the address provided. The reports are aggregated so you will only get per day from each sending service. The reports tell you if there have been any problems using TLS with your domain.

Configuring TLS-RPT

As an email administrator you should publish a DNS record at _smtp._tls.example.gov.uk which contains an email address you want reports sent to.

_smtp._tls.example.gov.uk 300 TXT “v=TLSRPTv1;rua=mailto:tls-rua@mailcheck.service.ncsc.gov.uk”

When an MTA-STS ‘testing’ or ‘enforce’ policy is present, you’ll get reports from services that have tried to send you email. When testing, the reports show how your email service will handle email traffic inbound to your domain once you move to an enforce policy, without the risk of losing emails. It is similar in concept to DMARC reporting but in an inbound rather than outbound direction.

The types of errors that are reported are:

• failure to negotiate TLS with the mail servers

• invalid certificate

• problems with MTA-STS or DANE

For definitions of all of the error types, refer to the RFC.