Introduction

A TLS-RPT record can be present in DNS while no reports ever arrive. That makes it look like mail transport reporting is enabled even though you have no visibility into TLS failures between sending and receiving systems. The break is usually not in mail delivery itself but in the reporting record syntax, destination setup, or mailbox handling. The fix is to validate the live TXT record and the report destination as one chain.

Symptoms

  • No TLS reports arrive even though a TLS-RPT record was published
  • Mail security tools show the record missing or invalid
  • The reporting mailbox never receives JSON aggregate reports
  • Reports stopped after changing DNS providers or mail routing
  • MTA-STS or TLS issues are suspected but no reporting data is visible

Common Causes

  • The _smtp._tls TXT record syntax is invalid or incomplete
  • The rua destination is malformed or points to the wrong address
  • DNS publishing is correct in one location but not live on the authoritative zone
  • The destination mailbox rejects, filters, or silently drops the report messages
  • Another DNS change caused the reporting policy to be published on the wrong hostname

Step-by-Step Fix

  1. Query the live _smtp._tls TXT record and confirm it is published on the exact hostname with valid v=TLSRPTv1 syntax.
  2. Check that the rua value uses the correct mailto: format and points to a mailbox that actually exists and can receive messages.
  3. Verify the record at the authoritative DNS provider instead of trusting only your control panel view.
  4. Compare the live record against the intended domain, because publishing it on the apex or wrong subdomain will not enable TLS-RPT.
  5. Review the reporting mailbox for filtering, forwarding mistakes, quota issues, or security rules that may discard aggregate report mail.
  6. If the reporting address is on a different domain, confirm any required cross-domain reporting authorization is in place.
  7. Re-test with mail security diagnostic tools after DNS propagation so you can confirm the record parses correctly.
  8. Allow time for report generation, because TLS reports are aggregate summaries and may not arrive immediately after publication.
  9. Keep TLS-RPT, MTA-STS, and DMARC records documented together so future DNS edits do not break mail reporting visibility.