LET'S TALK
← All work
Email SecurityDMARCAnti-PhishingComplianceDeep Prototype

DmarcFlow — DMARC Aggregate Report Parser

Parses DMARC aggregate (rua) reports from Google, Microsoft, Yahoo, Mimecast, Proofpoint. Builds a per-sending-IP rollup with pass/fail rate, SPF + DKIM alignment audit, and classification (legitimate / forwarder / spoof / unknown). 12 seeded sending IPs across 7 days.

DmarcFlow — DMARC Aggregate Report Parser preview
Open live →

What it is

The next layer after MailGuard. Once you have DMARC publishing rua reports, you start receiving XML files daily from every major mailbox provider. DmarcFlow is the prototype for parsing them into something you can act on.

What it surfaces

  • 12 seeded sending IPs across one week of merged reports. Each row: the IP, the ASN organization, the country, the number of mails reported, the pass rate, and the classification.
  • Classification engine:
    • Legit — IP in current SPF + DKIM aligned. Examples: Google Workspace, Microsoft 365, SendGrid transactional, SendGrid marketing, Google Meet calendar invites.
    • Forwarder — SPF breaks (expected — mail was forwarded) but DKIM survives. Mail-forwarder pattern. Legitimate.
    • Spoof — sending FROM your domain with neither SPF nor DKIM. Two seeded examples: Bulgarian VPS sending invoice phishing, Russian VPS sending password-reset phishing.
    • Unknown — newly-seen IP, recent first-appearance, requires investigation. Example: new SES IP that nobody updated SPF for.
  • Per-IP detail — auth results (SPF check + alignment, DKIM signature + alignment), envelope-from vs header-from, reporting mailbox providers, first-seen / last-seen timestamps, notes.
  • Recommended action per IP with regulatory + practical context.

Why this matters

The 80% of value DMARC promises sits in the aggregate report. Most companies publish p=reject and never read the reports. That works as a defensive measure but leaves operational intelligence on the table — you don’t know which legitimate sender is misconfigured, which forwarders break SPF on you, or which spoofer is currently using your domain in a phishing campaign.

DmarcFlow is the screen that turns the XML stream into the conversation: “this IP isn’t ours, and 8200 emails went out from it claiming to be us yesterday.”

How it ships

Single HTML file, ~28KB. Zero dependencies. The IP catalog, classification logic, alignment audit, and per-IP findings are 290 lines of vanilla JavaScript.

Open the tool →