SMTP TLS Reporting (SMTP TLSRPT)

SMTP TLSRPT defines a mechanism for domains that send emails and that are compatible with MTA-STS or DANE to share success and failure statistics with recipient domains. SMTP MTA Strict Transport Security (MTA-STS) allows domains to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections and potentially require them for message delivery, and DNS-Based Authentication of Named Entities (DANE) uses TLSA DNS records to associate a TLS server certificate with the domain name. The SMTP TLS Reporting policy for example.com must be published in DNS TXT records for _smtp._tls.example.com.

Example SMTP TLSRPT DNS record for the example.com domain

TXT "v=TLSRPTv1;rua=mailto:example@tlsrpt.report-uri.com"

The canhas.report domain has no SMTP TLSRPT record because no mail is sent from this domain, which is indicated with Null MX record, empty SPF with -all and DMARC record with reject policy. My site has a SMTP TLSRPT record similar to the example one above.

Example SMTP TLSRPT report

This is an aggregated report for example.com sent by Google:

{
  "organization-name": "Google Inc.",
  "date-range": {
    "start-datetime": "2020-05-22T00:00:00Z",
    "end-datetime": "2020-05-22T23:59:59Z"
  },
  "contact-info": "smtp-tls-reporting@google.com",
  "report-id": "2020-05-22T00:00:00Z_example.com",
  "policies": [
    {
      "policy": {
        "policy-type": "sts",
        "policy-string": [
          "version: STSv1",
          "mode: testing",
          "mx: mx1.smtp.goog",
          "mx: mx2.smtp.goog",
          "mx: mx3.smtp.goog",
          "mx: mx4.smtp.goog",
          "max_age: 86400"
        ],
        "policy-domain": "example.com"
      },
      "summary": {
        "total-successful-session-count": 7,
        "total-failure-session-count": 0
      }
    }
  ]
}

Related specs & documents