DMARC report analyzer

Upload aggregated reports

Copy the report XML into the textarea - or drag-n-drop the files to parse.


Parse mailbox

Input credentials for your POP3 mailbox - the tool will connect and parse the reports aggregated.

Credentials will not be saved anywhere. Passwords won't even be logged. Only messages recieved within the last 36 hours will be processed.


POP3 username:

POP3 password:

POP3 server:

 


Aggregated DMARC report analyzer

About the tool

Tool for sysadmins and mailserver admins who want clarity from chaos. This DMARC report analyzer helps you make sense of the often messy world of feedback reports.

It does three things:
  • Upload or paste XML - Analyze one or hundreds of DMARC aggregate reports in one go. Just drag them in or paste the raw XML.
  • POP3 mailbox support - Let the tool connect to your feedback inbox and parse all reports automatically.
  • Insightful overview - Get a clear, structured summary of the DMARC alignment status across domains, senders, IPs, and mail providers.

The tool summarizes each report, groups and counts results per IP, envelope domain, header domain, and sender organization – so you can instantly spot misaligned sources, failed authentication, and potentially abusive senders.

Troublesome sources and suspicious feedback are highlighted, helping you quickly focus on what needs fixing - whether that’s a broken mail flow or an unauthorized sender slipping through.


Sample

I made an example XML aggregated report to showcase the tool:
Made up sample report of example.com



FAQ



How do I receive DMARC aggregate reports?

To receive reports, you must publish a  rua  tag in your domain's DMARC record, pointing to an email address capable of handling XML attachments. For example:

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com;

Mail providers that receive emails claiming to be from your domain will send periodic (usually daily) XML summary reports to this address.

The DMARC check / create tool can assist you on this as well.



What information do DMARC aggregate reports provide?

These reports summarize authentication results across all emails sent using your domain. They include:
  • The sending IPs and how many messages they sent
  • The results of SPF and DKIM checks
  • The domains used in the envelope and header From
  • The alignment results (SPF/DKIM domain vs. From domain)

This helps identify who is sending on your behalf - both legitimate and potentially fraudulent sources.


What don’t DMARC aggregate reports tell me?

Aggregate reports do not include the actual content of any email, the recipient addresses, or detailed logs. They also won't tell you about emails that were blocked or rejected before DMARC evaluation, or messages forwarded by users (which often fail SPF).


Why do legitimate messages sometimes fail SPF or DKIM in these reports?

This commonly happens with server-side forwarding, mailing lists, or when third parties resend mail (e.g., alumni or partner organizations). These intermediaries often rewrite headers or resend messages in a way that breaks SPF or DKIM, even though the original message was fine.


How can I spot suspicious or malicious senders in these reports?

Look for unknown IP addresses or  Header From  domains that don't match your organization's legitimate senders. Repeated SPF/DKIM failures from the same IPs are strong indicators of spoofing. Also, be cautious of bulk senders using your domain with poor alignment — especially if they don’t match known services.

Feedback

These tools are still in active development. If you have any kind of feedback, please let me know. Send me an e-mail on iamrootdottech(a)gmail.com.
New features inbound 🚀
Within a couple of months, I'll launch a several new awesome features and tools. Signup for the newsletter to stay updated, and get early access as a beta tester.

Signup using Google or use this form.