TLS-RPT is the reporting half of MTA-STS. Receivers send you a daily JSON report of every connection that succeeded, failed, or fell back to plaintext.
Why you want it
Without TLS-RPT, MTA-STS is "set and pray". With it, you see exactly which senders attempted plaintext and got blocked, which DNS-record fetches failed, and whether your STS policy is stable.
How to enable
One TXT record at _smtp._tls.yourdomain.com containing v=TLSRPTv1; rua=mailto:tls-rpt@yourdomain.com (we give you a unique ingest mailbox per domain).
What we surface
- Daily TLS-RPT health graph (successful / failed / fell back)
- Per-sender breakdown (who keeps dialing plaintext)
- Alerts when failure rate jumps more than 3x baseline