P
Postscale
Log inSign Up
DMARC Reporting API

DMARC Reporting API

Point your RUA mailbox at Postscale. Daily aggregate reports arrive parsed and queryable — by source, by policy outcome, by DKIM/SPF alignment. Stop opening XML by hand.

Get started freeSee DMARC docs

Parsed aggregate reports

Upload or receive RUA XML reports and get structured JSON: per-source IP counts, DKIM/SPF alignment, and policy evaluation.

Per-domain dashboards

Group results by your own sending domain. Identify unauthorized senders and deliverability drift before reputation damage.

Unauthorized-source alerts

Webhook when a new IP starts sending under your domain or when SPF/DKIM pass rate crosses a threshold. Catch spoofing attempts day one.

Historical trend API

Query pass/fail rates over time to measure DMARC enforcement progress from p=none → quarantine → reject.

Receive RUA or POST XML

Give Postscale a dedicated RUA address, or POST existing reports to the API. Works with any DMARC-receiving setup.

EU-hosted, GDPR-friendly

All report data stored in the EU. IP addresses retained per your retention policy; no third-party sharing.

cURL — parse a DMARC aggregate report
curl -X POST https://api.postscale.io/v1/dmarc/reports \
  -H "Authorization: Bearer ps_live_..." \
  -H "Content-Type: application/xml" \
  --data-binary @report.xml

# Response (abridged)
{
  "report_id": "rpt_01HY...",
  "domain": "yourapp.com",
  "date_range": {
    "begin": "2026-04-15T00:00:00Z",
    "end": "2026-04-16T00:00:00Z"
  },
  "records": [
    {
      "source_ip": "185.12.14.5",
      "count": 412,
      "dkim": "pass",
      "spf": "pass",
      "policy_evaluated": "none"
    }
  ]
}

Frequently asked questions

What are RUA and RUF reports?

RUA is the aggregate DMARC report — a daily XML summary of all mail claiming to be from your domain, grouped by source. RUF is forensic (per-message) reports. Postscale parses RUA; RUF support is on the roadmap.

Do I need to change my DMARC record?

Only the rua= tag. Point it at the address Postscale gives you, or keep your current mailbox and POST the reports to our API. Either works.

Can this help me move from p=none to p=reject?

Yes — that's the core use case. You see which sources are aligned and which aren't, fix the gaps, then tighten policy without breaking legitimate mail.

What does it cost?

Free tier covers single-domain monitoring up to 50K messages/day. Higher volumes and multi-domain setups are on paid tiers.

Further reading

How to parse DMARC aggregate reports (RUA) programmatically

The full workflow from receiving zipped XML to actionable per-source insights, with SQL examples.

Read post

SPF, DKIM, and DMARC: the 2026 setup guide

Ground-up authentication setup that feeds clean DMARC reports instead of noise.

Read post

Inbound Email API

Use the same webhook pipeline to catch DMARC RUA mailbox submissions without running a mailbox.

Read post

Ready to build?

Free tier includes everything you need to evaluate. No credit card required.

Create a free account