DNS / email · Check
TLS-RPT missing — collecting reports of failed inbound TLS
TLS-RPT (RFC 8460) is the reporting partner to MTA-STS — it tells sending servers where to deliver aggregate reports of TLS handshake failures on mail to your domain. Without it, you can't measure whether MTA-STS is being honored.
Real-world risk
Without TLS-RPT, you may not receive aggregate signals when other mail servers hit STARTTLS or certificate issues delivering to you.
Fix steps (in order)
- Add _smtp._tls TXT with v=TLSRPTv1 and rua=mailto:tls-reports@yourdomain (or an HTTPS endpoint per RFC 8460).
Topic explainer
DMARC, SPF, and DKIM explained: the email authentication trio →
A practical guide to email authentication: what SPF, DKIM, and DMARC each do, why all three are needed, and how to roll out a DMARC policy that actually blocks spoofed mail.
Verify the fix in 30 seconds
Run a Scorifya scan on the affected host after deploy. The same finding id (dns_tls_rpt_missing) clears once the externally-observable signal is in place.