Why am I receiving emails from noreply-dmarc-support@google.com?

Your domain has a DMARC record with a rua= tag containing an email address. Google sends a daily aggregate report to that address. This is normal and desirable: these reports are your best tool for monitoring email authentication and detecting spoofing.

What file formats are accepted?

The analyzer accepts raw XML files (.xml), gzip-compressed XML files (.xml.gz), and ZIP archives (.zip) containing an XML file. Reports sent by Google, Microsoft, and Yahoo are typically in ZIP or gzip format. Maximum file size: 10 MB.

How do I interpret the compliance score?

The compliance score (0-100) is calculated from the DMARC pass rate, the diversity of failing sources, the presence of spoofing, and the applied policy. A score of 90+ is excellent, 70-89 is good, 50-69 requires attention, and below 50 is critical. A low score indicates authentication issues that need fixing.

What do the legitimate, forwarding, and spoofing classifications mean?

Legitimate: the source IP is authenticated by SPF or DKIM aligned with your domain. Forwarding: messages were forwarded, which breaks authentication - this is expected behavior. Spoofing: the source has no valid authentication for your domain, indicating a likely impersonation attempt.

What is the difference between DMARC pass and DMARC aligned?

Alignment verifies that the authenticated domain (SPF or DKIM) matches the From: header domain. DMARC passes if at least one mechanism (aligned SPF OR aligned DKIM) succeeds. An SPF pass without alignment is not sufficient for DMARC. Alignment can be relaxed (organizational domain) or strict (exact domain).

How do I move to p=reject with confidence?

Analyze your DMARC reports for 2-4 weeks with p=none. Identify all legitimate sources and configure SPF and DKIM for each. Then move to p=quarantine and monitor. When the compliance rate exceeds 99% and only forwarding and spoofing sources are failing, switch to p=reject.

Free DMARC Report Analyzer

Why should you analyze your DMARC reports?

Every day, Google, Microsoft, and Yahoo send DMARC aggregate reports to domains configured with a rua= tag. These reports reveal who is sending emails on behalf of your domain and whether SPF/DKIM authentication is working correctly.

Since 2024, Google and Yahoo require a DMARC record for senders exceeding 5,000 emails per day. Analyzing your DMARC reports is now essential.

The problem: a DMARC aggregate report is a technical XML file, compressed as ZIP or gzip. Without a dedicated tool, there is no way to know if your emails are properly authenticated or if someone is impersonating your domain.

Three reasons to act now:

Detect spoofing - Identify unauthorized sources sending emails with your domain in the From: field and verify that your DMARC policy blocks them.
Validate your third-party services - Every third-party service (newsletter, CRM, support) must be authenticated with SPF and DKIM aligned to your domain.
Move toward p=reject - DMARC reports are your roadmap for going from p=none to p=reject with confidence.

Upload your first report above for a diagnosis in 10 seconds.

How to analyze a DMARC report in 3 steps

Step 1: Get the report

Open the email received from Google (noreply-dmarc-support@google.com), Microsoft, or Yahoo. Download the .xml.gz or .zip attachment. The filename follows the format sender!domain!start!end.xml.gz.

Step 2: Upload the file

Drag and drop the file onto the upload area above. The tool accepts raw XML, gzip, and ZIP formats, up to 10 MB.

Step 3: Read the diagnosis

CaptainDNS decompresses, parses, and displays within seconds:

A compliance score out of 100 across 4 levels: excellent, good, warning, critical
A sender source map classifying sources as legitimate, forwarding, or spoofing
Detailed SPF and DKIM alignment for each source IP
Actionable recommendations with links to the appropriate CaptainDNS tool

What is a DMARC aggregate report?

A DMARC aggregate report (defined by RFC 7489, Section 7.2) is an XML file sent daily by mail providers to the address specified in the rua= tag of your DMARC record.

Example DMARC record with reporting:

_dmarc.captaindns.com. TXT "v=DMARC1; p=reject; rua=mailto:dmarc@captaindns.com"

Each report contains:

Field	Description
`org_name`	The report sender (Google, Microsoft, Yahoo, etc.)
`date_range`	The covered period, typically 24 hours
`policy_published`	Your DMARC policy at the time of collection
`record`	One or more source IPs with their authentication results

For each source IP, the report provides message volume, SPF and DKIM results, DMARC alignment, and the applied disposition (none, quarantine, or reject).

What exactly does the tool analyze?

The CaptainDNS analyzer evaluates each source IP in the report across five dimensions:

Analysis	Description	Result
DKIM alignment	The `d=` domain of the DKIM signature matches the From: header	Aligned or not aligned
SPF alignment	The MAIL FROM domain matches the From: header	Aligned or not aligned
DMARC compliance	At least one mechanism (SPF or DKIM) is aligned	Pass or fail
Source classification	Is the IP legitimate, forwarding, or spoofing?	Legitimate, forwarding, spoofing
Disposition	What action the receiver applied	None, quarantine, reject

Real-world use cases

Symptom: the Google report flags 320 quarantined messages from an unknown IP with SPF fail. Diagnosis: your newsletter service uses a different MAIL FROM domain (bounce.newsletter-service.com). SPF passes for that domain but is not aligned with your From:. Action: configure your service to sign with DKIM d=yourdomain.com, or set up a custom return-path. Verify with the SPF Record Checker.

Incident 2: Spoofing detected

Symptom: 210 rejected messages from an unknown IP, no DKIM signature, unaligned SPF. Diagnosis: an unauthorized source is sending emails with your domain in the From: field. Likely spoofing. Action: your DMARC policy is working. If you are still on p=quarantine, consider moving to p=reject. Verify with the DMARC Record Checker.

Symptom: 15 messages failing DMARC with a forwarded reason and none disposition. Diagnosis: forwarded messages from an intermediary server broke SPF and DKIM authentication. The receiver applied an override. Action: this is expected behavior. Forwarding naturally breaks authentication. No action required.

❓ FAQ - Frequently asked questions

Q: What is a DMARC aggregate report and how do I read it?

A: A DMARC aggregate report is an XML file sent daily by mail servers that receive mail with your domain in the From: field. It tallies SPF and DKIM authentication results per source IP. These files are compressed as ZIP or gzip - upload them here for an instant diagnosis.

Q: What do the dispositions none, quarantine, and reject mean?

A: These are the actions applied by the receiving server. none: the message is delivered normally (p=none policy or override). quarantine: the message is placed in spam. reject: the message is blocked. The applied disposition depends on your DMARC policy and the authentication result.

Q: What is the difference between a DMARC checker and a DMARC report analyzer?

A: A DMARC checker verifies your _dmarc.domain DNS record - that is your configuration. A DMARC report analyzer interprets the XML report files - those are your results. Use the DMARC Inspector to check configuration, and this tool to analyze reports.

Complementary tools

Tool	Purpose
DMARC Inspector	Verify the published DMARC policy
DMARC Generator	Create a DMARC record
DMARC Syntax Checker	Validate DMARC record syntax
SPF Inspector	Verify SPF configuration
DKIM Inspector	Verify DKIM configuration
Email Domain Audit	Full audit: SPF, DKIM, DMARC, MTA-STS, TLS-RPT

Not receiving DMARC reports yet? Add a rua= tag to your DMARC record with the DMARC Generator.

Useful resources

RFC 7489 - Domain-based Message Authentication, Reporting, and Conformance - official DMARC specification
RFC 7489, Appendix C - XML schema for aggregate reports
Google - Read DMARC reports - official Google Workspace guide
Microsoft - Understanding DMARC reports - Microsoft 365 documentation

Free DMARC Report Analyzer

Get a full diagnosis of your DMARC aggregate reports in 10 seconds

Automatic Decompression

DMARC Compliance Score

Source Mapping

Spoofing Detection

Actionable Recommendations