We're launching support for another brand new type of report over on Report URI and it's been a commonly requested feature. SMTP TLS Reporting, or TLS-RPT for short, allows you to have detailed insight into the transport security being used (or not used) when delivering email.


Back in Feb I wrote a blog post called Improving email security with MTA-STS in which I talked about enabling this new security mechanism. It's a lot like HTTP Strict Transport Security, or HSTS, but instead it's for emails and by its full name is SMTP MTA STS. I won't go into details of how to deploy it here, you should read the blog I just linked on MTA-STS for that, instead we're going to look at the new reporting mechanism here.

Enabling Reporting

As you can see in the blog post on setting up MTA-STS, enabling the reporting aspect is super easy, requiring the addition of a single DNS TXT record.

_smtp._tls.scotthelme.co.uk. 300	IN	TXT "v=TLSRPTv1;rua=mailto:{subdomain}-d@tlsrpt.report-uri.com"

To set the record all you need so the reporting address that you can get from the Setup page in your Report URI account.

The first portion of that email will vary for each user, reflecting your own customised name, but this is the email address you will need to substitute into your own DNS TXT record. Once you've set that record that's it, all you have to do is wait. It will take a little time for your DNS records to fully propagate and then you should expect to wait ~24 hours for the first email providers to start sending your reports back.

Viewing your reports

Once email providers start sending you your reports, they will start showing up in your account ready for you to view. Head to the SMTP TLS section in your account and if you've received any reports you will be able to start inspecting them.

Those are the reports I've received so far in the month of April and as you can see they are regarding emails sent from my scotthelme.co.uk domain and the reports came from Google. Looking at little closer at the raw JSON data we can see what a report looks like.

    "organization-name": "Google Inc.",
    "date-range": {
        "start-datetime": "2020-04-13T00:00:00Z",
        "end-datetime": "2020-04-13T23:59:59Z"
    "contact-info": "smtp-tls-reporting@google.com",
    "report-id": "2020-04-13T00:00:00Z_scotthelme.co.uk",
    "policies": [
            "policy": {
                "policy-type": "sts",
                "policy-string": [
                    "version: STSv1\r",
                    "mode: testing\r",
                    "mx: in1-smtp.messagingengine.com\r",
                    "mx: in2-smtp.messagingengine.com\r",
                    "max_age: 86400"
                "policy-domain": "scotthelme.co.uk"
            "summary": {
                "total-successful-session-count": 2,
                "total-failure-session-count": 0

The report was sent to us by Google regarding emails that we sent to them. You can also see my policy is currently in test mode because I'm still exploring the feature before I enforce it. Down towards the bottom you can see this report covers 2 emails, so that's 2 emails sent from @scotthelme.co.uk to someone using Google as their email provider and both of them succeeded with an encrypted connection.

As more providers starting sending these reports we expect to see a more diverse selection of organisations but for now it's good to start getting some data rather than no data with regards to secure delivery of email.

Get started now

This feature is now live and available to all Report URI users and a special thanks to everyone who helped us beta test this. Whether you're on a free account or a paid account it doesn't matter, each SMTP TLS report will count towards your total quota just the same as any other type of report. If you don't have a Report URI account you can get started now and there's no credit card required to try out the service on our free tier or any of that other nonsense.