Skip to main content
New Advanced Threat Defense now includes AI-powered URL analysis Learn more → →

Free DMARC Report Analyzer

Drop a DMARC aggregate report (XML or .gz) and instantly see senders, pass rates, alignment, and per-record details.

Files are parsed in your browser - nothing is uploaded
Built by the Phish Protection Engineering Team | RFC 7489 aggregate report format | Last verified: April 2026

What is a DMARC Aggregate Report?

When you publish a DMARC record with a rua= address, receiving mail servers email you a daily summary of every message claiming to be from your domain. These XML files are how you find out who is sending mail as you - your own infrastructure, your authorized vendors, and anyone trying to spoof your domain.

For phishing prevention, DMARC reports are your visibility into outbound spoofing attempts. If attackers are sending phishing emails that claim to be from your domain, those attempts show up as failures here. Once you move from p=none to p=reject, those messages stop reaching recipients entirely.

How to Read the Results

Pass Rate

Percentage of messages that passed DMARC (SPF or DKIM aligned). Healthy domains sit at 99%+. Anything lower means real legitimate mail is failing - or someone is spoofing you.

Failed Records

Messages where neither SPF nor DKIM aligned. These are your spoofing attempts (or misconfigured legitimate senders). Click into a failed record to see the source IP and where it claims to be from.

Top Source IPs

Where your traffic comes from, with reverse-DNS hostnames. If you see IPs you don't recognize sending mail at scale, that is your spoofing problem.

Per-Record Details

Expand any row to see DKIM signing domains, selectors, the SPF return-path domain, and the From header. This is how you trace a failure back to a specific service.

One report at a time is fine. Hundreds per day is not.

For continuous DMARC monitoring across all your domains, our sister product DMARC Report ingests every aggregate and forensic report automatically, classifies senders by vendor, tracks pass rates over time, and alerts you on suspicious activity.

Try DMARC Report Free Learn More

Frequently Asked Questions

What is a DMARC aggregate report?

A DMARC aggregate report (RUA) is an XML file sent daily by receiving mail servers like Google, Microsoft, and Yahoo to the address listed in your DMARC record. It contains a summary of every authentication result for messages claiming to be from your domain - source IPs, message counts, SPF and DKIM results, alignment status, and the policy applied.

Is my report uploaded to a server?

No. The DMARC Report Analyzer parses your XML file entirely in your browser using JavaScript. Nothing is sent to a server, stored, or logged. You can verify this by opening your browser DevTools and watching the Network tab while you upload a file.

What file formats are supported?

You can upload uncompressed .xml files or gzipped .xml.gz files. Most mail providers email reports as .xml.gz attachments - drop them in directly without extracting. Encrypted .zip archives are not yet supported; please extract the .xml first.

How does this help me stop phishing?

DMARC reports show every IP that's sending mail under your domain - including attackers spoofing you. If your report shows messages from IPs you don't recognize that pass DMARC, that means a sender is authenticated to use your domain (legitimate vendor or compromised infrastructure). If they fail DMARC at p=reject, recipients won't receive the spoofed mail.

What does "aligned" vs "not aligned" mean?

DMARC alignment means the domain in the SPF or DKIM check matches the domain in the From header. SPF can pass on its own, but only "aligned" SPF helps DMARC. The same applies to DKIM. A message can pass DMARC if either SPF or DKIM passes AND aligns - so unaligned passes are not protective.

Why does an SPF result show "passed but unaligned"?

This usually means a third-party sender (like Mailchimp, SendGrid, or Salesforce) is using their own return-path domain in the envelope. Their SPF passes for their domain, but it does not match your From header. Either configure them to use a custom return-path on your domain, or rely on DKIM signing for that sender.

How do I get my own DMARC reports?

Add a DMARC record to your DNS with a rua= tag pointing to a mailbox you own (e.g., v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com). Mail providers will start sending daily aggregate reports to that address within 24-48 hours. For ongoing automated parsing, DMARC Report (dmarcreport.com) ingests them into a dashboard.

Is the source IP hostname information accurate?

The hostname comes from the IP's reverse DNS (PTR) record, resolved live via Google's public DNS. PTR records are set by the network owner, so they are usually accurate for major senders (mail.google.com, outlook.com, sendgrid.net) but can be missing or misleading for shared hosting and consumer ISPs.

Stop phishing before it reaches your inbox

DMARC stops attackers spoofing your domain. Phish Protection blocks phishing, ransomware, and BEC attacks targeting your inbox. 60-day free trial - no credit card required.

Start Free Trial