DMARC Report Analyzer

What Are DMARC Aggregate Reports?

DMARC aggregate reports are XML files sent daily by receiving mail servers to the address specified in your DMARC record's rua tag. Defined in RFC 7489 Section 7.2, these reports summarize how receivers handled messages claiming to come from your domain, including SPF and DKIM authentication results and the policy action taken.

Reports arrive as XML files (often gzip-compressed) and can be difficult to read manually. This tool parses the XML structure and presents the data in a human-readable format, helping you identify unauthorized senders, authentication failures, and alignment issues.

XML Report Structure

Every DMARC aggregate report contains three main sections: report metadata (who generated it and the time period), the published policy for your domain at the time, and individual record rows grouping messages by source IP and authentication outcome.

How to Read Report Results

Each record row shows a source IP, the number of messages from that IP, and the authentication verdicts. The disposition field tells you what the receiver did: none means delivered normally, quarantine means sent to spam, and reject means the message was refused. Look for rows where DKIM or SPF shows fail to identify unauthorized senders or misconfigured services.

Where Reports Come From

Reports are sent to the email address in your DMARC record's rua=mailto: tag. Major providers like Google, Microsoft, Yahoo, and others send reports daily. If you are not receiving reports, check that your rua address is correct and that the receiving domain has authorized report delivery (via a DNS record at <domain>._report._dmarc.<rua-domain>).

Read the complete DMARC guide to learn more.