DMARC tools

DMARC report analyzer

Paste an aggregate DMARC XML report to summarize authentication results and sending sources.

Analyze your DMARC report

About

The DMARC Report Analyzer parses aggregate DMARC XML reports (rua) that mailbox providers send to your reporting address.

Upload a .xml or .gz report file to see which sources sent mail as your domain, whether they passed SPF and DKIM, and how much traffic falls into compatible, forwarded, or failed categories.

Source visibility

Identify every IP and hostname sending mail claiming to be from your domain.

Authentication rates

See DKIM and SPF pass rates per source to spot misconfigured senders quickly.

Easy file upload

Drag and drop XML or gzipped aggregate reports, no manual parsing required.

Exportable results

Download a CSV summary to share with your team or track improvements over time.

How to use this tool

Upload your report

Select or drag a DMARC aggregate report file (.xml or .gz, up to 10 MB) from your reporting mailbox.

Parse the XML

The tool reads report metadata, policy details, and per-source authentication results.

Categorize sources

Sending sources are grouped into compatible, forwarded, and failed based on SPF/DKIM outcomes.

Review and export

Inspect pass rates, drill into source tables, and export CSV for further analysis or remediation.

Understanding the results

Reports cover a specific date range from one reporting organization (e.g. Google, Yahoo). Combine multiple reports for a complete picture.

Compatible sources

Mail from this source passed SPF or DKIM and aligns with your DMARC policy. These are your legitimate or properly configured senders.

Forwarded

Mail failed authentication but was not rejected (disposition: none). Often caused by mailing-list or forwarder rewrites, investigate but may be expected.

Failed

Mail failed SPF and DKIM and would be affected by quarantine or reject policy. Prioritize fixing or blocking these sources.

Low pass rates

Sources with DKIM or SPF pass rates below 50% need attention, check selector alignment, SPF includes, or unauthorized use.

Important result fields

Compatible / Forwarded / Failed

Volume breakdown and percentages for each authentication category.

Report details

Provider name, date range, report ID, and contact email from the XML metadata.

Policy details

The p, sp, adkim, aspf, and pct values published at the time of the report.

Sending source

IP address and header From domain for each mail stream in the report.

DKIM / SPF verification

Pass rate percentage for each source, green above 50%, orange below.

Best practices & recommendations

Review reports weekly during rollout

While on p=none, check aggregate reports every week to catalog all legitimate sending services.

Fix failed sources first

Sources in the Failed table represent spoofing attempts or misconfigured senders, fix auth or block unauthorized use.

Investigate forwarded mail separately

Forwarded messages often fail alignment. Use ARC or relaxed alignment rather than blocking forwarders outright.

Track trends over time

Export CSV from each report period and compare compatible vs failed volumes as you tighten policy.

Frequently asked questions

A daily XML summary from mailbox providers listing every source that sent mail using your domain, along with SPF/DKIM results and message counts.

They arrive at the rua address in your DMARC record, typically a dedicated mailbox or a DMARC reporting service you configure.

Plain .xml files and .gz-compressed XML files up to 10 MB. These are the standard formats providers use for aggregate reports.

These messages failed SPF or DKIM but were not rejected because your policy is p=none or the receiver applied no disposition. Forwarding and mailing lists commonly appear here.

A source where mail passed SPF or DKIM authentication. These are senders that align with your DMARC configuration.

No. Each report comes from one reporting organization (e.g. Google or Microsoft). Upload reports from each provider for full coverage.

Ensure all legitimate sources appear under Compatible with high pass rates, Failed volume is near zero, then upgrade policy gradually from none to quarantine to reject.

It is the share of messages from that source that passed DKIM or SPF. Below 50% indicates a sender that needs configuration fixes.

Run this check once, or have it watched 24/7.

SenderSignal monitors these signals continuously: 48 blacklists, SPF, DKIM, DMARC, TLS and more, with alerts in Slack, email and signed webhooks.

Start monitoring free All free tools