SMTP TLS Reporting is a mechanism through which you can receive reports and statistics about failures in delivering email securely to your domain.
It is therefore a useful tool to identify issues with the delivery of incoming email.
Keep in mind that TLS reporting works best together with MTA-STS (see below) and/or DANE, two mechanisms that you can use to enforce secure email delivery.
How to set up TLSRPT
Setting up TLS reporting with DMARCwise is easy. First, make sure you’re subscribed to a paid plan, as this feature is not available to free users.
From the dashboard:
- Choose a domain from the list.
- Select the SMTP TLS tab.
- You’ll be provided with instructions on how to create the TLSRPT DNS record.
Specifically, the record looks like this:
- Record type:
TXT
- Name:
_smtp._tls
(or_smtp._tls.{your domain}
) - TTL:
3600
The value of the record is different for every domain so it will be provided in the dashboard.
If you already have a TLSRPT record, this procedure will replace it with a new one. We recommend using only one TLS reporting URI at a time, since some email providers don’t support sending multiple reports.
How to set up MTA-STS
MTA-STS is a mechanism that lets you declare that you want inbound emails to be delivered over a secure channels and only to a specified set of MX servers.
This mechanism overcomes the limitations of STARTTLS, the system that mail servers typically use to delivery emails, which suffers from downgrade attacks that let attackers hijack or eavesdrop your email communications.
To set up MTA-STS, you need to create a DNS record at _mta-sts
, and serve the text policy file at https://mta-sts.{your domain}/.well-known/mta-sts.txt
.
Currently, DMARCwise doesn’t support the hosting of MTA-STS policies yet. If you want to set it up on your own, take a look at RFC 8461 for all the details.