Skip to main content
New SPF lookups must resolve in milliseconds — why a DMARC tool's add-on isn't enough Learn Why → →

Free DMARC Report Analyzer

Drop a DMARC aggregate report (XML or .gz) and instantly see senders, pass rates, alignment, and per-record details.

Files are parsed in your browser - nothing is uploaded
Built by the AutoSPF Engineering Team | RFC 7489 aggregate report format | Last verified: April 2026

What is a DMARC Aggregate Report?

When you publish a DMARC record with a rua= address, receiving mail servers email you a daily summary of every message claiming to be from your domain. These XML files are how you find out who is sending mail as you - your own infrastructure, your authorized vendors, and anyone trying to spoof your domain.

Each report contains source IPs, message volumes, the SPF and DKIM results, whether each result aligned with the From header, and the policy that was applied. Reading them by hand is painful. This tool gives you a focused, on-demand view of any single report.

How to Read the Results

Pass Rate

Percentage of messages that passed DMARC (SPF or DKIM aligned). Healthy domains sit at 99%+. Anything lower means real legitimate mail is failing - or someone is spoofing you.

Passed but Unaligned

SPF or DKIM passed for a different domain than the From header. Common with third-party senders. Fix it by adding a custom return-path or DKIM signing on your domain.

Top Source IPs

Where your traffic comes from, with reverse-DNS hostnames. If you see IPs you don't recognize sending mail at scale, that is your spoofing problem.

Per-Record Details

Expand any row to see DKIM signing domains, selectors, the SPF return-path domain, and the From header. This is how you trace a failure back to a specific service.

SPF failures showing in your report?

If your DMARC report shows SPF failures or "permerror" results, your SPF record is likely exceeding the RFC 7208 limit of 10 DNS lookups. Each include: mechanism counts toward that limit, and large vendors like Google Workspace, Microsoft 365, and Mailchimp can blow past it on their own.

AutoSPF flattens your SPF chain into a single optimized record that stays under the 10-lookup limit and updates automatically as your senders' IP ranges change. No more PermError. No more manual maintenance.

Fix Your SPF with AutoSPF

One report at a time is fine. Hundreds per day is not.

For continuous DMARC monitoring across all your domains, our sister product DMARC Report ingests every aggregate and forensic report automatically, classifies senders by vendor, and tracks pass rates over time.

Understanding DMARC Aggregate Reports

DMARC aggregate reports are the feedback loop that makes DMARC work - but they arrive as dense XML that's hard to read by hand. Here's what's inside one and how to act on it.

What's Inside an Aggregate Report

Every report (defined by RFC 7489) has three parts: metadata identifying who generated it and the date range, the DMARC policy your domain published at the time, and a set of records. Each record represents one source IP that sent mail as your domain, with the message count, the SPF and DKIM results, whether each result aligned with the From domain, and the disposition the receiver applied (delivered, quarantined, or rejected).

The Fields That Matter Most

  • Source IP - which server sent the mail. The analyzer resolves its reverse-DNS hostname so you can tell your CRM from an unknown spoofer.
  • Count - how many messages that row represents. A failing row sending thousands of messages matters far more than a one-off.
  • SPF / DKIM result + alignment - a pass only protects you if it also aligns with your From domain. "Passed but unaligned" is not a DMARC pass.
  • Disposition - what actually happened to the mail under your current policy.

Reading Common Scenarios

  • Everything aligned and passing. Your legitimate senders are configured correctly - safe to tighten your policy.
  • Your own sender passes SPF but is unaligned. Usually a third-party service sending from its own return-path. Fix it with a custom return-path or DKIM signing on your domain.
  • An unfamiliar IP sending volume that fails. That's spoofing - exactly what DMARC enforcement blocks.
  • SPF PermError. Your SPF record exceeds the 10-lookup limit; AutoSPF flattens it so those rows start passing.

Using Reports to Move From p=none to p=reject

Reports exist so you can reach enforcement safely. Start at p=none and read reports until every legitimate source shows aligned passes. Then move to p=quarantine, watch for fallout, and finally p=reject. The analyzer makes that judgment call for a single report; validate the underlying records with the DMARC checker and SPF checker as you go, and see the full progression in our DMARC guide.

From One Report to Continuous Monitoring

This tool is ideal for inspecting a single report on demand. Once you're receiving dozens per day across multiple domains, reading them one at a time stops scaling - our sister product DMARC Report ingests every aggregate and forensic report automatically and tracks pass rates over time.

Frequently Asked Questions

What is a DMARC aggregate report?

A DMARC aggregate report (RUA) is an XML file sent daily by receiving mail servers like Google, Microsoft, and Yahoo to the address listed in your DMARC record. It contains a summary of every authentication result for messages claiming to be from your domain - source IPs, message counts, SPF and DKIM results, alignment status, and the policy applied.

Is my report uploaded to a server?

No. The DMARC Report Analyzer parses your XML file entirely in your browser using JavaScript. Nothing is sent to a server, stored, or logged. You can verify this by opening your browser DevTools and watching the Network tab while you upload a file.

What file formats are supported?

You can upload uncompressed .xml files or gzipped .xml.gz files. Most mail providers email reports as .xml.gz attachments - drop them in directly without extracting. Encrypted .zip archives are not yet supported; please extract the .xml first.

What does "aligned" vs "not aligned" mean?

DMARC alignment means the domain in the SPF or DKIM check matches the domain in the From header. SPF can pass on its own, but only "aligned" SPF helps DMARC. The same applies to DKIM. A message can pass DMARC if either SPF or DKIM passes AND aligns - so unaligned passes are not protective.

My SPF passes but DMARC still fails. Why?

Most likely your SPF includes are exceeding the 10-lookup limit (PermError) on some queries, or SPF is passing for a different domain than the From header (unaligned). The Authentication Records table will tell you which - if you see "passed but unaligned" SPF, fix the return-path. If you see "fail", AutoSPF can flatten your SPF chain to fit under the lookup limit automatically.

How do I get my own DMARC reports?

Add a DMARC record to your DNS with a rua= tag pointing to a mailbox you own (e.g., v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com). Mail providers will start sending daily aggregate reports to that address within 24-48 hours.

Is the source IP hostname information accurate?

The hostname comes from the IP's reverse DNS (PTR) record, resolved live via Google's public DNS. PTR records are set by the network owner, so they are usually accurate for major senders (mail.google.com, outlook.com, sendgrid.net) but can be missing or misleading for shared hosting and consumer ISPs.

DMARC needs SPF - and SPF needs AutoSPF

DMARC alignment requires a passing SPF check. AutoSPF keeps your SPF record optimized and within the 10-lookup limit automatically.