diff --git a/config_examples/mta-sts-daemon.yml.internal b/config_examples/mta-sts-daemon.yml.internal
index 0ada2598ca4d14c21ded5a1c8883744f5f5562e2..4e1996dd6c4dcf3471b0d7b46be2bd77a96bc3d0 100644
--- a/config_examples/mta-sts-daemon.yml.internal
+++ b/config_examples/mta-sts-daemon.yml.internal
@@ -2,6 +2,7 @@ host: 127.0.0.1
 port: 8461
 reuse_port: true
 shutdown_timeout: 20
+# tlsrpt: true
 cache:
   type: internal
   options:
diff --git a/config_examples/mta-sts-daemon.yml.postgres b/config_examples/mta-sts-daemon.yml.postgres
index 3f9b1928bc934932d7ffc4489e3312ae33a6bd0d..345efa0bdf249534061b5d41cd9ac097bfd382c2 100644
--- a/config_examples/mta-sts-daemon.yml.postgres
+++ b/config_examples/mta-sts-daemon.yml.postgres
@@ -2,6 +2,7 @@ host: 127.0.0.1
 port: 8461
 reuse_port: true
 shutdown_timeout: 20
+# tlsrpt: true
 cache:
   type: postgres
   options:
diff --git a/config_examples/mta-sts-daemon.yml.redis b/config_examples/mta-sts-daemon.yml.redis
index f9f2615f64d72760a0d61f289fb800d74284ae5a..133811c17273cbc4b235e8da7da3adf7efffc097 100644
--- a/config_examples/mta-sts-daemon.yml.redis
+++ b/config_examples/mta-sts-daemon.yml.redis
@@ -2,6 +2,7 @@ host: 127.0.0.1
 port: 8461
 reuse_port: true
 shutdown_timeout: 20
+# tlsrpt: true
 cache:
   type: redis
   options:
diff --git a/config_examples/mta-sts-daemon.yml.redis_sentinel b/config_examples/mta-sts-daemon.yml.redis_sentinel
index d13c644f673a446d39549b282064c24568fdcdb3..885ae2ce5050a646f74cafb4b4fb7947f93d057e 100644
--- a/config_examples/mta-sts-daemon.yml.redis_sentinel
+++ b/config_examples/mta-sts-daemon.yml.redis_sentinel
@@ -2,6 +2,7 @@ host: 127.0.0.1
 port: 8461
 reuse_port: true
 shutdown_timeout: 20
+# tlsrpt: true
 cache:
   type: redis_sentinel
   options:
diff --git a/config_examples/mta-sts-daemon.yml.sqlite b/config_examples/mta-sts-daemon.yml.sqlite
index a0bae0343fe7cc3c64904b15c35c111b7f660755..3cac32d9aa12ba21e70daafd5a7837f4c93fb694 100644
--- a/config_examples/mta-sts-daemon.yml.sqlite
+++ b/config_examples/mta-sts-daemon.yml.sqlite
@@ -2,6 +2,7 @@ host: 127.0.0.1
 port: 8461
 reuse_port: true
 shutdown_timeout: 20
+# tlsrpt: true
 cache:
   type: sqlite
   options:
diff --git a/config_examples/mta-sts-daemon.yml.sqlite_unixsock b/config_examples/mta-sts-daemon.yml.sqlite_unixsock
index 42b3cb5762617016eb222cdc796217f018508f0d..9c60392a267f955364d2341fce72f72b9af32860 100644
--- a/config_examples/mta-sts-daemon.yml.sqlite_unixsock
+++ b/config_examples/mta-sts-daemon.yml.sqlite_unixsock
@@ -1,6 +1,7 @@
 path: "/var/run/mta-sts.sock"
 mode: 0666
 shutdown_timeout: 20
+# tlsrpt: true
 cache:
   type: sqlite
   options:
diff --git a/man/mta-sts-daemon.yml.5.adoc b/man/mta-sts-daemon.yml.5.adoc
index 127a4b2d254492001eebf9fbe6aae14f3cd400fa..c25caba4979ab5a6889daedd0e8598e112c9df9e 100644
--- a/man/mta-sts-daemon.yml.5.adoc
+++ b/man/mta-sts-daemon.yml.5.adoc
@@ -30,6 +30,8 @@ The file is in YAML syntax with the following elements:
 
 *shutdown_timeout*: (_float_) time limit granted to existing client sessions for finishing when server stops. Default: 20
 
+*tlsrpt*: (_bool_) include response attributes for TLSRPT support (Postfix 3.10 and later). Default: false
+
 *cache*::
 
 * *type*: (_str_: _internal_|_sqlite_|_redis_|_redis_sentinel_|postgres) cache backend type. Default: internal
diff --git a/postfix_mta_sts_resolver/defaults.py b/postfix_mta_sts_resolver/defaults.py
index 5936214c034fa27a584c64931482f6ecd2c95916..389b5e0410796e123ae9d149b63c0418ba16afc6 100644
--- a/postfix_mta_sts_resolver/defaults.py
+++ b/postfix_mta_sts_resolver/defaults.py
@@ -4,6 +4,7 @@ HOST = "127.0.0.1"
 PORT = 8461
 REUSE_PORT = True
 TIMEOUT = 4
+TLSRPT = False
 SHUTDOWN_TIMEOUT = 20
 STRICT_TESTING = False
 CONFIG_LOCATION = "/etc/mta-sts-daemon.yml"
diff --git a/postfix_mta_sts_resolver/responder.py b/postfix_mta_sts_resolver/responder.py
index 040182186c2e1f54fa93ef08fbf05b738d8822c4..b2fc865e88b3940604994b3a3591b26ae704f346 100644
--- a/postfix_mta_sts_resolver/responder.py
+++ b/postfix_mta_sts_resolver/responder.py
@@ -33,6 +33,7 @@ class STSSocketmapResponder:
             self._port = cfg['port']
         self._reuse_port = cfg['reuse_port']
         self._shutdown_timeout = cfg['shutdown_timeout']
+        self._tlsrpt = cfg['tlsrpt']
         self._grace = cfg['cache_grace']
 
         # Construct configurations and resolvers for every socketmap name
@@ -225,6 +226,8 @@ class STSSocketmapResponder:
                 resp = "OK secure match=" + ":".join(mxlist)
                 if zone_cfg.require_sni:
                     resp += " servername=hostname"
+                if self._tlsrpt:
+                    resp += " policy_type=sts policy_domain=" + domain
                 return netstring.encode(resp.encode('utf-8'))
         else:
             return netstring.encode(b'NOTFOUND ')
diff --git a/postfix_mta_sts_resolver/utils.py b/postfix_mta_sts_resolver/utils.py
index 3cc712e95b0f3719119bec43b508e09688e4c9c7..ce0863308f23f591f88a8ed8ac410bf0707b0567 100644
--- a/postfix_mta_sts_resolver/utils.py
+++ b/postfix_mta_sts_resolver/utils.py
@@ -87,6 +87,7 @@ def populate_cfg_defaults(cfg):
     cfg['reuse_port'] = cfg.get('reuse_port', defaults.REUSE_PORT)
     cfg['shutdown_timeout'] = cfg.get('shutdown_timeout',
                                       defaults.SHUTDOWN_TIMEOUT)
+    cfg['tlsrpt'] = cfg.get('tlsrpt', defaults.TLSRPT)
     cfg['cache_grace'] = cfg.get('cache_grace', defaults.CACHE_GRACE)
 
     if 'proactive_policy_fetching' not in cfg: