Paste an aggregate DMARC XML report to summarize authentication results and sending sources.
The DMARC Report Analyzer parses aggregate DMARC XML reports (rua) that mailbox providers send to your reporting address.
Upload a .xml or .gz report file to see which sources sent mail as your domain, whether they passed SPF and DKIM, and how much traffic falls into compatible, forwarded, or failed categories.
Identify every IP and hostname sending mail claiming to be from your domain.
See DKIM and SPF pass rates per source to spot misconfigured senders quickly.
Drag and drop XML or gzipped aggregate reports, no manual parsing required.
Download a CSV summary to share with your team or track improvements over time.
Select or drag a DMARC aggregate report file (.xml or .gz, up to 10 MB) from your reporting mailbox.
The tool reads report metadata, policy details, and per-source authentication results.
Sending sources are grouped into compatible, forwarded, and failed based on SPF/DKIM outcomes.
Inspect pass rates, drill into source tables, and export CSV for further analysis or remediation.
Reports cover a specific date range from one reporting organization (e.g. Google, Yahoo). Combine multiple reports for a complete picture.
Mail from this source passed SPF or DKIM and aligns with your DMARC policy. These are your legitimate or properly configured senders.
Mail failed authentication but was not rejected (disposition: none). Often caused by mailing-list or forwarder rewrites, investigate but may be expected.
Mail failed SPF and DKIM and would be affected by quarantine or reject policy. Prioritize fixing or blocking these sources.
Sources with DKIM or SPF pass rates below 50% need attention, check selector alignment, SPF includes, or unauthorized use.
Volume breakdown and percentages for each authentication category.
Provider name, date range, report ID, and contact email from the XML metadata.
The p, sp, adkim, aspf, and pct values published at the time of the report.
IP address and header From domain for each mail stream in the report.
Pass rate percentage for each source, green above 50%, orange below.
While on p=none, check aggregate reports every week to catalog all legitimate sending services.
Sources in the Failed table represent spoofing attempts or misconfigured senders, fix auth or block unauthorized use.
Forwarded messages often fail alignment. Use ARC or relaxed alignment rather than blocking forwarders outright.
Export CSV from each report period and compare compatible vs failed volumes as you tighten policy.
A daily XML summary from mailbox providers listing every source that sent mail using your domain, along with SPF/DKIM results and message counts.
They arrive at the rua address in your DMARC record, typically a dedicated mailbox or a DMARC reporting service you configure.
Plain .xml files and .gz-compressed XML files up to 10 MB. These are the standard formats providers use for aggregate reports.
These messages failed SPF or DKIM but were not rejected because your policy is p=none or the receiver applied no disposition. Forwarding and mailing lists commonly appear here.
A source where mail passed SPF or DKIM authentication. These are senders that align with your DMARC configuration.
No. Each report comes from one reporting organization (e.g. Google or Microsoft). Upload reports from each provider for full coverage.
Ensure all legitimate sources appear under Compatible with high pass rates, Failed volume is near zero, then upgrade policy gradually from none to quarantine to reject.
It is the share of messages from that source that passed DKIM or SPF. Below 50% indicates a sender that needs configuration fixes.
SenderSignal monitors these signals continuously: 48 blacklists, SPF, DKIM, DMARC, TLS and more, with alerts in Slack, email and signed webhooks.