DMARC Aggregate Report Viewer

Upload a DMARC aggregate report (XML, gzip, or ZIP) from your mail server to see SPF/DKIM authentication and policy results by source IP in a readable table. Parsing happens 100% in your browser — the file is never uploaded to a server.

Tips

  • DMARC aggregate reports are normally emailed daily (as gzip or ZIP-compressed XML) to the address you specified in the "rua" tag of your DMARC record. You can upload that attachment directly to this tool.
  • A low "SPF & DKIM pass rate" often means a legitimate sender — your marketing platform, CRM, or an outsourced mail vendor — isn't configured correctly for SPF/DKIM. Note the source IP and investigate it.
  • While your policy (p) is still "none", messages that fail authentication are still delivered. Only tighten it to quarantine or reject once your pass rate is consistently high.
  • An unfamiliar source IP sending a large volume of messages under your domain can be a sign of phishing or spam abusing your brand. Check the Header From value and reverse-lookup the source IP.
  • When comparing multiple days of reports, jot down the date range (begin/end) embedded in each file so you can track how the pass rate changes over time.

Frequently Asked Questions

If you've listed an email address in the "rua" tag of your DMARC DNS record, major mail providers will send a daily XML attachment (gzip or ZIP compressed) to that mailbox. If you haven't set "rua" yet, add it to your TXT record first — otherwise you won't receive any reports.

No. Decompression and XML parsing all happen in JavaScript inside your browser, and the contents are never sent anywhere. Since DMARC reports contain your organization's outbound mail source IPs, this tool is designed with privacy and security in mind.

If a legitimate sender is failing authentication, tightening your DMARC policy to quarantine or reject could cause that sender's mail to stop being delivered. Keep your policy at "none" (monitor only) until your pass rate is consistently high.

This tool only supports the daily aggregate report format ("rua"). Forensic reports ("ruf"), which contain copies of individual failed messages, use a different format and aren't supported here.

The current version supports one file per upload. To compare several days of reports, upload and review them one at a time.
ツールくん

Side Note — How DMARC reports turned an invisible problem visible

DMARC (Domain-based Message Authentication, Reporting & Conformance), standardized in 2012, ties together two existing authentication mechanisms — SPF and DKIM — and lets a domain publish, via DNS, exactly how mail that fails authentication should be handled. But for most administrators, the real value isn't the policy enforcement itself — it's the aggregate reporting ("rua") feature.

Before DMARC, there was almost no way to know how much mail was being sent claiming to be from your domain, or how much of it was legitimate versus spoofed. Abuse of your domain's reputation could go on indefinitely — an invisible threat you'd only learn about from angry recipients, if at all.

A DMARC aggregate report makes that traffic visible: which IPs sent how many messages claiming your domain, and how each one fared against SPF and DKIM. Major providers (Gmail, Yahoo, Microsoft, and others) faithfully report back on the mail they receive, letting you discover senders you didn't even know about — a cloud service, a salesperson's personal mail tool, or an outright impersonator.

When Google and Yahoo effectively made DMARC mandatory for bulk senders in 2024, demand for parsing aggregate reports surged among developers and mail administrators. Many organizations adopt a paid monitoring SaaS, but for a quick, one-off look at a single report, a free, fully client-side tool like this one is often all you need.