BETA
OSH.co.za - Email Deliverability and DMARC Specialists

πŸ”’ OSH.co.za Domain Deliverability Checker

SPF, DKIM, DMARC, FCrDNS, Blacklists & Inbox Prediction

πŸ”§ Related Tools

ANALYSIS TOOLS
πŸ”’ Full Checker Complete email deliverability scan: SPF, DKIM, DMARC, MX, blacklists & more. πŸ“¨ SPF Check and visualise your SPF record including the full DNS lookup tree. πŸ”‘ DKIM Scan all known DKIM selectors and validate key strength for your domain. πŸ“§ Email Headers Analyse raw email headers to trace delivery path and authentication results. 🦁 BIMI Verify your BIMI logo record and VMC certificate status. πŸ” DNSSEC Validate the DNSSEC chain of trust: DS, DNSKEY, and RRSIG records. πŸ”’ MTA-STS Check your MTA-STS DNS record and TLS policy file for enforced encryption. πŸ“‹ TLS-RPT 🌍 WHOIS Look up domain registration details via RDAP.
DIAGNOSTIC TOOLS
🚫 Blacklist / RBL Check IPs and domains against major email blacklists and RBLs. 🌐 DNS Propagation Check DNS record propagation across multiple global resolvers simultaneously.
BUILDER TOOLS
βœ… DMARC Builder Build a DMARC TXT record with the right policy, RUA/RUF and subdomain options. πŸ›  SPF Builder Generate a validated SPF record by selecting your email senders. πŸ“ Route 53 Splitter Split long DKIM or SPF TXT records for AWS Route 53's 255-character limit.

πŸ“‹ TLS-RPT Record Checker

Check whether a domain has a TLS-RPT record, verify the reporting addresses, and see if MTA-STS is also deployed.

Frequently Asked Questions

Common questions about TLS-RPT and SMTP transport encryption reporting.

TLS-RPT (SMTP TLS Reporting, defined in RFC 8460) is a mechanism that lets receiving mail servers report back to senders when TLS encryption failed during email delivery. When a sending server tries to deliver email and encounters a TLS negotiation failure β€” for example because your MTA-STS policy could not be met β€” it generates an aggregate JSON report and sends it to the addresses listed in your TLS-RPT record. You publish the record as a DNS TXT entry at _smtp._tls.yourdomain.com containing a value like v=TLSRPTv1; rua=mailto:tls-reports@yourdomain.com. These reports help you detect delivery failures caused by TLS misconfigurations before they impact a significant volume of mail.

TLS-RPT aggregate reports are JSON files (delivered as gzip-compressed email attachments) that detail TLS connection attempts to your domain over a 24-hour window. Each report includes: the policy type that was applied (MTA-STS or DANE), the policy string, the total number of successful TLS sessions, and a breakdown of any failures by failure type (e.g. starttls-not-supported, certificate-expired, validation-failure). Reports also include the sending MTA's identity and the sending date range. By analysing these reports you can identify which sending servers are failing to establish encrypted connections and why, allowing you to fix TLS configuration issues proactively.

MTA-STS (Mail Transfer Agent Strict Transport Security) and TLS-RPT are complementary standards designed to work together. MTA-STS enforces that sending mail servers must use valid TLS when connecting to your mail server β€” it publishes a policy file over HTTPS that specifies the required MX hostnames and the TLS enforcement mode (enforce, testing, or none). TLS-RPT provides the feedback loop: when a sender cannot satisfy your MTA-STS policy, it generates a report and sends it to your TLS-RPT reporting address. Without TLS-RPT, you would never know if your MTA-STS policy was causing deliveries to fail. Together, they give you both strong enforcement of encrypted transport and visibility into any issues. It is strongly recommended to deploy both simultaneously, starting with MTA-STS in testing mode while monitoring TLS-RPT reports before switching to enforce.

Reports are delivered to the addresses listed in the rua= field of your TLS-RPT record. You can specify one or more addresses, separated by commas. Two URI schemes are supported: mailto: (e.g. rua=mailto:tls-rpt@yourdomain.com) which causes reports to be emailed to that address as gzip-compressed JSON attachments, and https: (e.g. rua=https://reporting.example.com/v1/tlsrpt) which causes reports to be POSTed to an HTTPS endpoint. Many organisations use a dedicated mailbox or a third-party reporting service such as Postmark, Valimail, or dmarcian. Reports are sent daily, typically covering the previous UTC day. Make sure the receiving address can handle the volume of reports if you have many senders or a large mail infrastructure.

Data Collection: This TLS-RPT Checker processes data to provide results. When you enter a domain name and submit it for checking, the domain name is used to perform DNS TXT lookups at _smtp._tls.{domain} and _mta-sts.{domain}. No domain names or results are stored. We do not store, log, or share the domain names or data you submit beyond what is necessary to return your results.

Data Usage: Your input is used solely to generate results. No data is saved, analysed for profiling, or shared with third parties. Each new check operates independently.

DNS Lookups: To check your domain, we perform DNS queries via Google's DNS-over-HTTPS (dns.google). These queries are subject to Google's Privacy Policy. Only the domain name is transmitted β€” no personally identifiable information.

Support Requests: If you submit a support request, your name, email address, and message are transmitted securely to our support team via SMTP2Go. This information is used solely to respond to your query.

Analytics: We may collect anonymized usage statistics (page views, tool usage frequency) to improve functionality. This does not include the domain names you check or any personally identifiable information.

Contact: For privacy enquiries or questions, please contact us at support@osh.co.za or visit osh.co.za/contact.