ToolBelt

DMARC RUA Parser

Parse a DMARC aggregate (RUA) XML report into a readable summary.

Open tool

Overview

The DMARC RUA parser turns the XML aggregate reports that arrive from Google, Yahoo, Microsoft, and other large receivers into a readable summary — sending IP, message count, SPF and DKIM verdicts, alignment result, and the policy that was applied. Paste a single report or upload one extracted from a .zip or .gz attachment and the structure is rendered as a table you can actually read.

Email administrators who have switched DMARC on but cannot stomach the raw XML, deliverability consultants reviewing a client's reports, and security teams hunting for forged mail all benefit from a quick DMARC report parser. Long-tail keywords covered: parse DMARC aggregate XML online, read mailbox provider RUA reports, and identify unauthorised senders from DMARC data.

How it works

DMARC aggregate reports follow the XML schema defined in RFC 7489. Each report covers a 24-hour window for a single domain at a single receiver. Inside it is a policy_published block describing the DMARC record at the time of evaluation, then one or more record blocks. Each record lists a sending IP, the number of messages from that IP, whether SPF and DKIM passed and aligned, and what the receiver did with the mail.

Reports are delivered as email attachments — usually .gz or .zip — to the rua= address in the DMARC record. The parser handles the decoded XML directly; if you have the compressed attachment, decompress it first.

Examples

  • A report with a single record from 74.125.x.x for 1,200 messages with spf=pass and dkim=pass, both aligned, applied policy none: typical legitimate mail from Google's mailservers.
  • A record from 185.x.x.x with 50 messages, spf=pass but dkim=fail, alignment fail, disposition quarantine: a third-party sender forgot to sign with the right selector.
  • A record from a residential IP with spf=fail and dkim=fail: almost certainly forged mail.
  • Many one- or two-message records from disparate IPs: forwarding (mailing lists, vacation auto-forwards) that breaks SPF alignment.

FAQ

Where do these reports come from?

Every receiver that participates in DMARC sends aggregate reports to the rua address listed in your record. Google, Yahoo, Microsoft, Mail.ru, and many more send daily.

Why do legitimate senders sometimes fail?

The most common cause is forwarding: SPF breaks when a third party relays your mail without rewriting the envelope. DKIM usually survives forwarding, which is why aligned DKIM matters.

Are forensic (RUF) reports the same?

No. RUA reports are aggregate counts. RUF reports are per-message failure samples, sent to the ruf= address. Most large receivers no longer send RUF for privacy reasons.

Can I parse multiple reports at once?

Yes — paste the XML for each report in turn and the parser merges results into a single table.

Try DMARC RUA Parser

An unhandled error has occurred. Reload ×