Free tool · Reports stay in your browser
Your DMARC reports,
finally readable
Those XML attachments in your DMARC mailbox answer one question: who is sending email as your domain? Open one here and actually read it.
.xml or .xml.gz — exactly as it arrived at your rua address.
or
Reports are parsed in your browser's memory and never uploaded — they contain your sending infrastructure, after all.
What a report is really telling you
Every row is a sender claiming to be you
Some are yours (Workspace, your campaign tool, the CRM). Some you forgot. Some are strangers. The whole point of DMARC reporting is making that list visible.
'pass' here means aligned pass
The DKIM/SPF columns show DMARC's evaluation — passing for a domain that matches your From header. A provider passing SPF for its own bounce domain shows as fail here, and that's correct.
Disposition shows your policy at work
none = monitoring, quarantine = sent to spam, reject = refused. Until you enforce, failing mail still gets delivered — reports are the only place you see it.
One file is one day from one receiver
Google's report covers what Google saw yesterday. The full picture is the aggregation of every receiver, every day — which is monitoring, not viewing.
Questions, answered honestly
What are these XML files landing in my rua mailbox?
DMARC aggregate reports. Once you publish a DMARC record with a rua address, every major receiver (Google, Microsoft, Yahoo…) sends you a daily XML summary: which servers sent email claiming to be your domain, how many messages, and whether each source passed SPF and DKIM with alignment. They're machine-readable on purpose — and human-hostile by accident.
How do I open the .gz and .zip attachments?
Google sends .zip, most others send .xml.gz. This viewer reads .xml and .xml.gz directly (the gzip is decompressed in your browser). For .zip, unzip it first and open the .xml inside — browsers can't unzip natively yet.
A source IP is failing both SPF and DKIM. Spoofing?
Maybe — but check the boring explanation first. Most failing sources are your own forgotten services: the CRM, the helpdesk, the invoicing tool someone connected in 2024. Look the IP up (our DNS tool does reverse lookups via the A record owner), and if it's a legitimate service, add it to your SPF or set up its DKIM. If it's genuinely unknown traffic, that's exactly what p=quarantine and p=reject exist for.
What pass rate should I aim for before enforcing?
98%+ of your volume passing for a couple of weeks. Below that, p=reject would be bouncing some of your own legitimate mail. The viewer's pass percentage is the number to watch as you fix each source.
Reading one file is fine — but I get dozens a day.
That's the honest limit of any manual viewer. Reports arrive per-receiver per-day, and the picture only makes sense aggregated over weeks. That's the job Norbelys' DMARC monitoring does continuously: every report received, parsed, aggregated and turned into a feed of findings.
Keep going
More free tools
Nobody reads XML daily. Our parser does.
Norbelys receives your DMARC reports directly, parses every file from every receiver and turns weeks of XML into one feed: who sends as you, what changed, what to fix.
Start monitoringFrom $29/mo · Cancel anytime