Ingest TLS-RPT (SMTP TLS Reporting) reports to diagnose delivery failures

Verified steps

1. Publish a TXT record at _smtp._tls.yourdomain.com with the content v=TLSRPTv1; rua=mailto:tlsrpt@yourdomain.com (or an HTTPS endpoint URL starting with https://) to receive daily reports from sending mail servers.
2. Sending servers deliver reports as gzip-compressed JSON attachments (.json.gz) via email or as POST requests to your HTTPS endpoint with Content-Type application/tlsrpt+gzip.
3. Each JSON report contains the sending organisation, the reporting period, your applied policy type (mta-sts, dane, or no-policy-found), and per-policy counts of successful and failed TLS sessions with machine-readable failure types.
4. Parse the failure_details array: each entry includes result-type (for example starttls-not-supported, certificate-expired, validation-failure), sending-mta-ip, and failed-session-count; prioritise recurring failures from high-volume senders.
5. Map result-type values to remediation actions: certificate-expired means renew your inbound MX certificate; starttls-not-supported indicates a sending server that cannot negotiate TLS and may require policy mode adjustment; validation-failure often points to a hostname mismatch.
6. Retain parsed reports for at least 30 days for trend analysis; a sudden spike in failed-session-count after an MX change is a leading indicator of a misconfiguration before users report delivery issues.