TLS-RPT (SMTP TLS Reporting, RFC 8460) is the feedback channel for MTA-STS. The TXT record at _smtp._tls.<domain> declares where sending MTAs should send daily aggregate reports about TLS handshake failures, certificate validation problems, STARTTLS downgrade attempts, and MTA-STS policy violations.
Without TLS-RPT, a domain operator who deploys MTA-STS in enforce mode is operating blind: any TLS regression (cert expired, MX hosts changed, downgrade attack ongoing) silently rejects mail without any visible signal. Reports include source IPs, failure modes, and counts -- typically aggregated into JSON files delivered nightly to the configured rua= address.
Format: v=TLSRPTv1; rua=mailto:tlsrpt-aggregate@<your-domain> (or an https:// endpoint that accepts POST). Most operators use a managed reporting service rather than parsing raw aggregates themselves.
Best practice: deploy TLS-RPT BEFORE turning MTA-STS to enforce mode -- monitor testing mode for at least a few weeks of aggregate reports to confirm no legitimate sender breaks before promoting the policy.