TLS-RPT Record Validator

#	Tag	Value	Notes
{{ idx + 1 }}	{{ row.tag }}	{{ row.value }}	{{ row.note \|\| '-' }}

#	Check	Status	Notes
{{ idx + 1 }}	{{ c.label }}	{{ c.status }}	{{ c.note \|\| '-' }}

#	Tag	Value
{{ idx + 1 }}	{{ row.tag }}	{{ row.value }}

Email transport security reporting records are small text policies that a domain publishes so other mail systems know where to send reports when encrypted delivery fails. A practical email security record validator helps you confirm that the policy is present and that report destinations are written correctly before you rely on them. That matters during migrations, new gateways, or vendor changes, when one missing character can quietly drop reports.

Type your domain, run a check, and read the result as simple pass, warn, and fail messages that point to what needs attention. You will also see the published policy record and a token by token breakdown that makes it easier to spot duplicates and typos. If you are starting from scratch, the builder can draft a clean record string that you can paste into your domain configuration.

A realistic example is setting reports to go to a shared mailbox and a secure web endpoint, then checking that both targets are accepted and the version is correct. The tool also surfaces related email policy signals, which helps you confirm that reporting sits alongside your other protections. Warnings are often about interoperability and consistency, while failures usually mean the policy is missing or a destination is invalid.

A well formatted record does not prove that reports will arrive, that a mailbox is monitored, or that every connection is protected. Treat report addresses as operational data and avoid sharing them widely unless you need to. After publishing changes, validate again later because caches and propagation can delay what different resolvers return.

Step-by-Step Guide:

Validate a TLS reporting policy record for a domain, then use the results to correct report destinations and publish a clean TXT entry.

Enter the Domain you want to check, such as example.com.
Optionally choose a Resolver and adjust Timeout in milliseconds.
Optionally enable Related policy checks to look for supporting email signals.
Select validate and wait for the summary to show record count, TTL, resolver, and elapsed time.
Review the checks and focus first on any FAIL items.
Open the record view to confirm the v and rua tokens were parsed as expected.
If you need to publish or fix a policy, use the builder output and copy the zone snippet.
Validate again after publishing, especially if your TTL is high or changes are recent.

Example workflow

Input domain: example.com

Expected outcome: one published TXT policy at _smtp._tls.example.com, v present and first, and at least one valid rua destination.

If you see multiple TXT answers, treat it as a cleanup task even if one answer looks correct.

Try both resolvers when troubleshooting propagation and caching differences.

Keep v=TLSRPTv1 first to avoid edge case parsers.

Prefer a dedicated mailbox alias for reports rather than a personal address.

Recheck after changes, because TTL and intermediate caches can delay new values.

Pro tip: make one small change at a time, publish, then validate from two resolvers to separate syntax issues from propagation delays.

Technical Details:

SMTP TLS Reporting (TLS-RPT) records are Domain Name System (DNS) TXT policies that tell sending mail systems where to deliver aggregated reports about Transport Layer Security (TLS) delivery failures. This validator measures whether _smtp._tls.<domain> returns a policy, how its tags are structured, and whether reporting destinations follow the accepted schemes.

The core computation is a structured parse of the TXT value into semicolon separated segments, then into tag and value pairs. Each rule produces a discrete result with a status and a short note that explains what was detected.

Results are categorized into PASS, WARN, FAIL, and INFO. PASS indicates the record matches the expected structure, WARN flags likely workable configurations that can reduce interoperability, and FAIL indicates missing or invalid required elements.

Comparisons across runs depend on DNS propagation and resolver cache state. When multiple TXT answers exist, the tool warns and selects the longest unique value as the primary record for token parsing.

Processing pipeline

Sanitize the input into a hostname and convert it to ASCII form if needed.
Query TXT records for _smtp._tls.<domain> using the selected DNS over HTTPS resolver.
If Auto is selected, query Cloudflare first and fall back to Google only on request failure.
Extract TXT strings by joining quoted segments and trimming whitespace.
De-duplicate TXT answers and select the longest answer as the primary record.
Split the primary record on semicolons, then parse each segment into a tag and value.
Validate v equals TLSRPTv1 and warn if v is not the first tag.
Split rua on commas, then accept only mailto: addresses and https: URLs.
Report PASS, WARN, or FAIL for each check and summarize TTL and request time.

Symbol key for TLS-RPT validation
Symbol	Meaning	Unit/Datatype	Source
`d`	Input domain after trimming and basic cleanup	string	Input
`d_ascii`	ASCII hostname used for lookups	string	Derived
`fqdn`	Lookup name `_smtp._tls.<d_ascii>`	string	Derived
`records`	Unique TXT values returned for `fqdn`	string[]	Derived
`primary`	Selected TXT value used for token parsing	string	Derived
`tokens`	Ordered tag and value segments split from `primary`	object[]	Derived
`checks`	Rule outcomes with label, status, and note	object[]	Derived
`ttl`	Time to live for the first TXT answer	seconds or null	Derived
`time_ms`	Elapsed resolver request time	milliseconds	Derived

Worked example

Published TXT value:

v=TLSRPTv1; rua=mailto:tlsrpt@example.com, https://reports.example.com/tlsrpt

Parsed tokens:

1) v = TLSRPTv1
2) rua = mailto:tlsrpt@example.com, https://reports.example.com/tlsrpt

n_{records} = 1

n_{targets} = 2

n_{invalid} = 0

Interpretation: this configuration should produce PASS for version, ordering, and destination validation, with WARN only if extra tags or duplicates exist.

Result status interpretation
Status	Meaning	Action cue
PASS	Meets the expected structure for the rule.	Move to the next check.
WARN	Likely workable, but may reduce interoperability or clarity.	Clean up when you next touch the policy.
FAIL	Missing or invalid requirement for a correct TLS-RPT policy.	Fix before relying on reporting.
INFO	Informational result used for context, not pass or fail.	Read for background, then continue.

Constants and built-in assumptions

Constants used by the validator
Constant	Value	Unit	Source	Notes
`TLSRPT_KNOWN_TAGS`	`v`, `rua`	set	Constant	All other tags are flagged for review.
Default builder destination	`mailto:tlsrpt@<domain>`	string	Derived	Used only when no explicit builder list is provided.
Zone snippet TTL	3600	seconds	Constant	Shown in the snippet as a starting point, not auto-detected.
Resolver options	Auto, Cloudflare, Google	enum	Input	Auto falls back to Google only when the first request fails.

Units, precision, and rounding

Elapsed request time is measured with a high resolution timer and rounded to the nearest whole millisecond.
Timeout is configured in milliseconds and applies per DNS over HTTPS request.
TTL is shown in seconds when supplied by the resolver response, otherwise it is left blank.
JSON output is formatted with two space indentation for readability.

Validation rules and bounds

Input and rule validation extracted from the code
Field	Type	Min	Max	Step/Pattern	Error Text	Placeholder
Domain	text	—	—	Sanitized from domain, email, or URL inputs	`Domain is required.`	`example.com`
Resolver	enum	—	—	`auto`, `cloudflare`, `google`	—	Auto
Timeout	number	0	—	Step 100	—	3500
Related policy checks	boolean	—	—	On or off	—	On
Builder rua list	text	—	—	Comma separated URIs	—	`mailto:tlsrpt@example.com`
Builder HTTPS URI	text	—	—	Optional single URI	—	`https://reports.example.com/tlsrpt`
`v` tag	text	—	—	Must equal `TLSRPTv1` (case insensitive)	`Missing v=TLSRPTv1`	—
`rua` tag	text	—	—	Comma separated `mailto:` or `https:` targets	`Missing rua= reporting target(s).`	—

I/O formats and encoding

Input and output families for the validator
Input	Accepted Families	Output	Encoding/Precision	Rounding
Domain	Hostname, email address, or URL string	ASCII hostname for lookups	URL hostname parsing, trailing dot trimmed	None
TLS-RPT TXT values	Quoted or unquoted TXT data	Record list and primary record	Quoted chunks are concatenated into one string	None
rua destinations	`mailto:` and `https:`	Per destination validity	URL parsing for `https:`, simple check for mailto	None
Results snapshot	Structured values and lists	Pretty printed JSON	Two space indentation	Time rounded to milliseconds

Networking and storage behavior

DNS lookups are performed via DNS over HTTPS requests to the selected public resolver.
Requests include an Accept header requesting application/dns-json.
Each request can be aborted after the configured timeout using AbortController, and timeout zero disables the extra abort timer.
No local or session storage calls are present in the app code, and results live in memory until you reload.

Performance, determinism, and security notes

Parsing work is linear in the length of the TXT record, and dominates only after network latency.
Related policy checks add up to four additional DNS lookups when enabled.
Given the same resolver responses, tokenization and rule outcomes are deterministic.
TXT content is untrusted input from DNS, so treat copied and exported text as data, not code.

Assumptions and limitations

Heads-up A valid looking record does not guarantee reports will be delivered or processed.
Only v and rua are treated as known tags, and other tags are flagged for review.
Duplicate tags are reported as a warning, and the first non-empty value is used for rule checks.
When multiple TXT answers exist, the longest answer is selected as the primary record for parsing.
Mailto validation checks only for an at sign in the address, not full mailbox syntax.
HTTPS validation confirms URL parsing and scheme only, not reachability or authentication.
Auto resolver failover occurs only on request failure, not on non-zero DNS status codes.
Related checks validate record presence and basic host resolution, not policy file contents.
Timeout is per request, so total runtime can exceed the timeout when multiple lookups are enabled.

Edge cases and common error sources

Internationalized domains may normalize differently across inputs before ASCII conversion.
Leading dots, trailing dots, and repeated dots are trimmed, which can change a pasted value.
TXT values split across multiple quoted chunks are concatenated, which is normal for DNS.
TXT answers split across multiple records can trigger a multiple record warning.
Semicolons inside unexpected values can be misread as tag separators by simple parsing.
Commas inside destination strings can be misread as separators because rua is split on commas.
IPv6 literals in https: URLs require brackets and can fail URL parsing if malformed.
Resolvers can return stale cache content after updates, especially when TTLs are high.
Network blocks, CORS restrictions, or captive portals can cause resolver requests to fail.
Missing AbortController support can prevent client-side timeouts from taking effect.
Timing is rounded to whole milliseconds, so repeated runs can differ by small amounts.
Rapid repeated validations can overlap network timing expectations, even if UI disables the button.

Standards and references

The record structure aligns with SMTP TLS Reporting as defined in RFC 8460, and the related signals correspond to MTA-STS in RFC 8461 and DMARC in RFC 7489. DNS over HTTPS transport is described in RFC 8484.

Privacy and compliance

DNS lookups are made from your browser using the selected resolver and results stay in memory, so handle domains and report addresses per your security policy and applicable privacy rules such as GDPR.

Troubleshooting:

“Domain is required.” Enter an apex domain like example.com and avoid extra spaces.
“No TLS-RPT record found.” Confirm the TXT record is published at _smtp._tls.<domain>.
All checks fail quickly. Switch resolvers, increase timeout, and confirm your network allows DNS over HTTPS.
Multiple TXT answers detected. Consolidate to a single policy record to avoid unpredictable sender behavior.
“All rua URIs are invalid.” Use only mailto: or https: destinations and remove unsupported schemes.
Copy actions do nothing. Check clipboard permissions, then use download as a fallback.
Related policy signals show WARN. Treat them as supporting hygiene, not a blocker for TLS-RPT itself.

Blocking scenario

If every resolver request fails, your network may block DNS over HTTPS endpoints, so change networks or allow the resolver service.

Advanced Tips:

Tip Validate the apex domain unless you intentionally delegate mail policy by subdomain.
Tip Keep v=TLSRPTv1 first even when extensions are present.
Tip Use a shared mailbox alias for mailto: targets to avoid personnel churn.
Tip Add an https: endpoint only if you control ingestion and can handle volume.
Tip Compare results from Cloudflare and Google to separate propagation from resolver cache effects.
Tip Treat WARN items as cleanup work to keep future troubleshooting simple.
Tip Revalidate after each publish and wait at least one TTL when diagnosing inconsistent answers.

Glossary:

TLS-RPT: SMTP TLS Reporting, a DNS TXT policy for where to send aggregated failure reports.
DNS TXT record: A text value published under a domain name, used here to hold policy tags.
v tag: The version identifier, expected to be TLSRPTv1.
rua tag: Reporting destinations, listed as comma separated URIs.
TTL: Time to live, the cache lifetime for a DNS answer in seconds.
DoH: DNS over HTTPS, a method for DNS lookups transported over HTTPS.
MTA-STS: Mail Transfer Agent Strict Transport Security, a related mail transport security signal.
DMARC: Domain-based Message Authentication, Reporting, and Conformance, a related domain policy signal.
PASS, WARN, FAIL: Status categories for rule outcomes, indicating ok, needs review, or broken.

FAQ:

Is my data stored?

The app code does not write to local or session storage. It performs DNS lookups to the selected resolver and keeps results in memory for the current page session.

How accurate are results?

Results reflect what the chosen resolver returns at the time of the query. The checks validate structure and destinations, not whether reports will be delivered or processed.

Cache and propagation can make different resolvers disagree for a while.

What does WARN mean?

WARN indicates a rule found something that might still work, but can reduce interoperability or clarity, such as multiple TXT answers, v not first, or unknown tags.

Can I use it offline?

Validation requires network access for DNS over HTTPS queries. The builder can assemble a policy record and zone snippet without doing any lookups.

Which resolvers are used?

You can choose Cloudflare, Google, or Auto. Auto tries Cloudflare first and falls back to Google only when the first request fails.

How do I validate TLS-RPT?

Publish a TXT record at _smtp._tls.<domain> with v=TLSRPTv1 first and a non-empty rua. Then run the validator and fix any FAIL results.

What rua targets are accepted?

Each rua entry must be either a mailto: address that contains an at sign or a parseable https: URL. Other schemes are rejected.

What exports are available?

You can copy or download the parsed token rows, the check results, and a structured JSON snapshot. Tables can also be exported as a Word document.

Is there a license stated?

This package does not include pricing or license text in its metadata or interface, so consult the hosting site for the applicable terms.