From 5bbddb1348135a4615f8bf90158bab9a0de35fb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gunnar=20M=C3=A1r=20=C3=93ttarsson?= Date: Sun, 14 Dec 2025 15:18:23 +0400 Subject: [PATCH] tls-rpt --- .../dnssec-and-email.mdx | 35 ++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/docs/pages/infrastructure/domain-and-dns-security/dnssec-and-email.mdx b/docs/pages/infrastructure/domain-and-dns-security/dnssec-and-email.mdx index bff75e11..be27abd6 100644 --- a/docs/pages/infrastructure/domain-and-dns-security/dnssec-and-email.mdx +++ b/docs/pages/infrastructure/domain-and-dns-security/dnssec-and-email.mdx @@ -180,7 +180,7 @@ MTA-STS enforces encrypted connections between mail servers, preventing man-in-t 4) **Testing and enforcement** - Start with `mode: testing` to monitor without blocking - - Collect and review TLS failure reports + - Collect and review TLS failure reports using TLS-RPT (See dedicated section below) - Once confident, change to `mode: enforce` - Update the `id` in DNS TXT record after policy changes @@ -194,6 +194,39 @@ MTA-STS enforces encrypted connections between mail servers, preventing man-in-t - All MX servers must support TLS with valid certificates - Monitor policy file availability - if unreachable, mail delivery may fail in enforce mode +#### TLS-RPT + +TLS-RPT collects delivery reports for messages transmitted using MTA-STS and SMTP DANE. + +Most major providers (Google, Microsoft, etc.) send one aggregated report per day per domain summarizing all failures for that day and some also indicate how many transmissions were successful. +This is crucial for already established projects to ensure current email communication is not broken when enabling these security features. + +**Example** +MTA-STS is deployed in "testing" mode +TLS-RPT is configured for domain example.com +An email provider attempts to deliver mail to example.com +It fetches example.com's MTA-STS policy and attempts delivery using TLS according to the policy +The failure is logged and reported using TLS-RPT +Provider finishes mail delivery by falling back to classic SMTP + +**Setup** +Create a new DNS TXT record with the following structure and chosen email address to receive the reports +_smtp._tls.yourdomain.com. TXT "v=TLSRPTv1; rua=mailto:reports@yourdomain.com" + +This will give you visibility into failures during testing. + +##### Report receiver in same email domain +It is perfectly reasonable for the report receivers email address to reside in the same domain that is using MTA-STS or SMTP DANE even after those security features have been fully enabled. + +See the following snippet from [RFC8460](https://www.rfc-editor.org/rfc/rfc8460) which defines TLS-RPT + +*In the case of "mailto", reports should be submitted to the +specified email address [RFC6068]. When sending failure reports +via SMTP, Sending MTAs MUST deliver reports despite any TLS- +related failures and SHOULD NOT include this SMTP session in the +next report. This may mean that the reports are delivered +unencrypted.* + ### DMARC (Domain-based Message Authentication) DMARC builds on SPF and DKIM to provide policy enforcement for email authentication. It tells receiving mail servers what to do with emails that fail authentication checks.