How to Read DMARC Reports: Types, Tools, and Tips
by
Last Updated: 13 min read
Key Takeaways
- DMARC reports provide critical insights into your email authentication, helping IT managers, CISOs, and MSPs detect and prevent phishing, spoofing, and unauthorized use of domains across single or multiple client environments.
- There are two main types of DMARC reports: Aggregate reports, which offer a summary of email authentication results, and Forensic reports, which give detailed info on individual failed emails.
- Reading raw DMARC reports can be complex due to their XML format, but PowerDMARC’s platform simplifies this by converting data into easy-to-understand dashboards that save time for busy IT teams.
- Enabling DMARC reporting involves publishing a DNS TXT record with the right tags (rua/ruf), allowing domain owners to receive and act on reports that strengthen their email security and protect their brand.
TL;DR: DMARC reports show you which emails pass or fail authentication, helping you detect spoofing attempts and fix email deliverability issues. Use automated tools to parse XML reports into actionable insights for better domain security.
Phishing is behind 90% of cyberattacks, making it critical for IT teams and security professionals to understand how to read DMARC reports to safeguard organizational data and reputation.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) reports provide detailed insights into how your organization’s emails are authenticated, helping you maintain a close eye on your email security infrastructure. By confirming that emails truly come from trusted sources, DMARC plays a key role in blocking phishing and spoofing attempts that could damage your brand and put your customers at risk.
This blog will walk your team through how to read DMARC reports and explain how PowerDMARC’s platform can make this process easier, helping you protect your domain and strengthen your email security with confidence.
Why PowerDMARC?
PowerDMARC is the only DMARC platform offering PGP-encrypted forensic reports, AI-driven threat intelligence, and 24/7 expert support. Recognized by G2 and SOC2 certified, PowerDMARC delivers proven results, like the 100% domain security score achieved by Pablo Herreros, through our real-time dashboard that outperforms generic solutions.
- Automated XML report parsing saves hours of manual analysis
- Multi-tenant dashboard perfect for MSPs managing multiple clients
- Enterprise-grade security with PGP encryption for sensitive data
- 24/7 global support for mission-critical email infrastructure
What is a DMARC Report?
DMARC reports are diagnostic reports generated by receiving mail servers that show your organization how emails are authenticated across the internet. They provide clear visibility into email behavior and mail flows, including SPF and DKIM authentication results for messages sent from a DMARC-enabled domain.
These reports are based on two key technologies:
- SPF (Sender Policy Framework) verifies if an email is sent from an authorized server.
- DKIM (DomainKeys Identified Mail) checks if the email’s content has been altered in transit.
Together, these checks show whether your emails are genuine or potentially fraudulent, giving your security team the visibility needed to protect your organization.
How DMARC Reporting Works
Understanding the DMARC reporting lifecycle helps you better interpret and act on the data you receive. Here’s how the end-to-end process works:
Report Generation Process
- Email Authentication Check: When your domain sends an email, receiving servers (Gmail, Outlook, Yahoo, etc.) perform SPF, DKIM, and DMARC checks
- Data Collection: Results are collected throughout the day, including source IPs, authentication outcomes, and policy actions
- Report Compilation: Receiving servers compile this data into XML format, typically on a daily basis
- Report Delivery: Reports are sent to the email addresses specified in your DMARC record’s RUA (aggregate) and RUF (forensic) tags
What Triggers Report Generation
- Any email sent from your domain to major email providers
- Both legitimate emails from your organization and potential spoofing attempts
- Daily reporting cycles (most providers send reports every 24 hours)
Timing and Format Expectations
- Delivery Schedule: Reports typically arrive within 24-48 hours of email activity
- Format: Aggregate reports come as compressed XML files (.zip or .gz), while forensic reports are usually plain text
- Volume: High-traffic domains may receive dozens of reports daily from different providers
Benefits of DMARC Reporting
Implementing DMARC reporting provides significant organizational and security benefits that directly impact your bottom line and risk posture:
Security and Risk Reduction
- Domain Abuse Visibility: Identify unauthorized senders attempting to use your domain for phishing or spam
- Threat Intelligence: Gain actionable insights into attack patterns and malicious IP addresses targeting your brand
- Brand Protection: Prevent cybercriminals from damaging your reputation through domain spoofing
Operational Benefits
- Improved Email Deliverability: Identify and fix authentication issues that cause legitimate emails to be marked as spam
- Compliance Support: Meet regulatory requirements for email security in industries like finance, healthcare, and government
- Cost Reduction: Reduce incident response costs by preventing successful phishing attacks
Strategic Advantages
- ROI Justification: Demonstrate measurable security improvements to executive leadership
- Audit Readiness: Maintain detailed logs of email authentication for compliance audits
- Competitive Advantage: Build customer trust through demonstrable email security practices
How to Enable DMARC Reports (Step-by-Step)
Before your team can read DMARC reports, you need to set up a DMARC record that tells mailbox providers where to send your reports.
Step 1: Publish a DMARC record
Create a DNS TXT record for: _dmarc.yourdomain.com
Start with monitoring mode: v=DMARC1; p=none; rua=mailto:[email protected];
Step 2: Add report destinations (rua first)
- rua (Aggregate reports): This is the primary DMARC reporting channel and the one most organizations rely on.
- ruf (Forensic reports): Optional. Support varies by provider and it can raise privacy concerns, so many organizations skip it or use it cautiously.
Example with both (only if you intend to use forensic reporting):
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected];
Step 3: Decide how you’ll receive reports
Your organization has two practical options:
- Dedicated mailbox: Useful for testing, but raw reports arrive as XML attachments and become hard to manage at scale.
- PowerDMARC’s automated platform: Recommended for ongoing monitoring, filtering, and actionable dashboards that save your team time.
Step 4: Confirm reports are arriving
Aggregate reports often start showing up within 24–48 hours, depending on DNS propagation and mailbox provider reporting cycles. If nothing arrives, validate:
- the DMARC record is published correctly,
- the destination mailbox/service can receive messages,
- and your domain is actively sending email.
Once you’ve enabled reports, your team can read and analyze them.
How to Read DMARC Reports
DMARC reports usually come in XML format attached to emails with subjects like “DMARC Report.” While raw reports aren’t easy to read directly, understanding their structure helps your team extract valuable insights.
PowerDMARC’s platform automatically processes these complex XML files and presents the data in intuitive dashboards, saving your team hours of manual analysis.
Here’s how to read DMARC reports:
Understand the DMARC XML format
A typical DMARC XML report includes these key sections:
- Source IP: The IP address of the sending server
- Policy evaluated: The action taken based on your DMARC policy
- SPF and DKIM results: Whether each check passed or failed
- Domain details: The domain names involved in sending and authentication
DMARC reports arrive as compressed XML files that are difficult to interpret manually, especially across multiple domains and sending sources.
PowerDMARC’s DMARC Report Analyzer automatically parses DMARC aggregate reports into human-readable dashboards, helping your team quickly identify SPF/DKIM failures, unauthorized senders, alignment issues, and spoofing attempts without digging through raw XML.
See exactly who is sending email from your domain and why messages are passing or failing DMARC, in real time.
Decode the key elements in a raw report
Focus on these critical fields when reviewing a report:
- source_ip: Where the email originated
- policy_evaluated: What your DMARC policy decided (e.g., none, quarantine, reject)
- spf and dkim: Results showing pass or fail. A pass means the email met the authentication standards, while a fail indicates issues that could point to spoofing or misconfiguration
Expect practical challenges with raw reports
When working directly with XML files, a few obstacles are common:
- Reports may arrive compressed (.zip or .gz)
- High-volume domains can generate very large files
- Your team will often receive multiple reports from different providers covering the same day
This is why most IT teams move away from manual inspection once reporting volume increases and adopt automated solutions like PowerDMARC.
Example DMARC Report Walkthrough
Here’s a simplified example of what you’ll see in a DMARC aggregate report:
<record>
<row>
<source_ip>203.0.113.1</source_ip> ← 1. Sending server IP
<count>150</count> ← 2. Number of emails
<policy_evaluated>
<disposition>none</disposition> ← 3. DMARC policy action
<dkim>pass</dkim> ← 4. DKIM result
<spf>fail</spf> ← 5. SPF result
</policy_evaluated>
</row>
<identifiers>
<header_from>example.com</header_from> ← 6. Domain in From header
</identifiers>
<auth_results>
<dkim>
<domain>example.com</domain> ← 7. DKIM signing domain
<result>pass</result>
</dkim>
<spf>
<domain>mail.example.com</domain> ← 8. SPF domain
<result>fail</result>
</spf>
</auth_results>
</record>
Analysis: This record shows 150 emails from IP 203.0.113.1 where DKIM passed but SPF failed, likely due to a subdomain alignment issue. Your team should investigate the SPF configuration for mail.example.com.
Identify issues from the data (SPF, DKIM, Alignment)
Look out for these warning signs: Failures often occur simply because SPF or DKIM wasn’t set up correctly. Marketing tools, CRM systems, newsletter platforms, and helpdesk tools must be added to your SPF record or configured with their DKIM keys to pass DMARC consistently. These failures are especially common after a new tool rollout, a domain change, or a vendor-side sending update.
Warning signs:
- Failures in SPF or DKIM checks
- Alignment problems where the sending domain doesn’t match the authenticated domain
- Suspicious sending IPs that don’t belong to your organization’s known mail sources
These flags could signal attempts to impersonate your domain.
Read how Jordi Altimira (Head of Technical Implementation & Client Success at Pablo Herreros) achieved a 100% domain security score with PowerDMARC.
No credit card required. Instant access.
Types of DMARC Reports
DMARC reporting is mainly delivered through two report types: Aggregate (RUA) and Forensic (RUF). Both serve different purposes, and most organizations rely primarily on aggregate reports for continuous monitoring
What Is Not Included in DMARC Aggregate Reports
To set proper expectations, it’s important to understand what DMARC aggregate reports do NOT contain:
- Message Content: Email subject lines, body text, or attachments are never included
- Recipient Information: Email addresses of recipients are not disclosed for privacy protection
- Detailed Forensic Data: Specific email headers or detailed failure analysis (this requires forensic reports)
- Real-time Alerts: Reports are typically delivered daily, not immediately after incidents
Why these limitations exist: Privacy regulations and compliance requirements prevent sharing sensitive email content and recipient data. This design protects both senders and recipients while still providing valuable authentication insights.
1. DMARC Aggregate Reports (RUA)
DMARC aggregate reports provide an overview of the DMARC analytics and activity for a domain. They include:
- Information pertaining to the number of messages that passed or failed DMARC authentication
- The IP addresses of the sending mail servers
- The authentication statuses of the mechanisms used to verify the email message
This information helps your security team gain awareness of spammers and unauthorized third-party services wrongly using your domain name.
PowerDMARC’s platform transforms these complex XML reports into readable and understandable dashboards, organized into charts and tables with advanced viewing and filtering options that save your team valuable time. To enable our human-readable aggregate reports, contact us today!
2. DMARC Forensic Reports (RUF)
DMARC forensic reports, also known as failure reports, provide detailed information about individual email messages that failed DMARC authentication. In some cases, Forensic DMARC reports may include:
- The entire email message
- The authentication status
- The reason for the failure of the unauthorized message
Failure reports in DMARC are particularly useful when investigating specific forensic incidents, such as potential email fraud, domain name abuse, and impersonation.
Failure reports may sometimes contain sensitive information, raising privacy concerns if an attacker gains access to them. PowerDMARC addresses this with PGP encryption on these reports, ensuring that only your organization has access to the sensitive content.
What to Do If You Receive a DMARC Failure Report
When you receive a forensic (failure) report, follow this step-by-step response guide:
Immediate Response (Within 1 Hour)
- Verify the Source: Check if the sending IP belongs to your organization or authorized third-party services
- Assess Threat Level: Determine if this appears to be a legitimate configuration issue or potential attack
- Document the Incident: Save the report and note the timestamp, source IP, and failure reason
Investigation Phase (Within 24 Hours)
- Check Authentication Records: Verify your SPF, DKIM, and DMARC records are correctly configured
- Contact Service Providers: If the IP belongs to a legitimate service, work with them to fix authentication
- Monitor for Patterns: Look for similar failures from the same source or related IPs
Remediation and Communication
- Update DNS Records: Add missing SPF includes or fix DKIM configurations as needed
- Notify Stakeholders: Inform relevant teams about the incident and resolution steps
- Implement Monitoring: Set up alerts for future failures from unknown sources
DMARC Report Fields Explained
DMARC aggregate (RUA) reports usually arrive in XML format and contain multiple “records.” Each record represents email activity from a specific sending source (typically an IP address) and shows how that source performed against your DMARC policy. Once your team knows what the key fields mean, it becomes much easier to identify legitimate senders, spot unauthorized usage, and fix SPF/DKIM alignment issues.
Key DMARC fields you’ll see in aggregate (RUA) reports
| Field | What it tells you | Why it matters |
|---|---|---|
| org_name | The organization generating the report | Helps you confirm which mailbox provider/receiver observed the traffic |
| Contact address for the reporting organization | Useful for verification or troubleshooting | |
| report_id | Unique identifier for the report | Helps you reference and track specific reports over time |
| date_range | Time period covered by the report | Confirms the timeframe for the results |
| source_ip | IP address that sent the email | Core field for identifying known vs unknown sending sources |
| count | Number of emails from that source | Helps your team prioritize investigations by volume |
| header_from | Domain in the visible From header | This is the domain DMARC protects and evaluates alignment against |
| disposition | Action taken under DMARC (none/quarantine/reject) | Shows how receivers handled the messages based on your policy |
| spf | SPF authentication result (pass/fail) | Tells you whether SPF succeeded for that source |
| dkim | DKIM authentication result (pass/fail) | Tells you whether DKIM succeeded for that source |
| envelope_from (SPF identity) | Domain used for SPF evaluation (Return-Path/Mail From) | Needed to diagnose SPF alignment failures |
| dkim_domain (DKIM identity) | Domain used to sign DKIM (d= value) | Needed to diagnose DKIM alignment failures |
| selector (DKIM) | DKIM selector used | Helps pinpoint which DKIM key is failing or misconfigured |
How these fields work together
A common mistake is to treat DMARC as a simple “SPF pass/DKIM pass” check. DMARC also verifies whether SPF or DKIM aligns with the domain in header_from. That is why you may see SPF or DKIM showing “pass,” but DMARC still failing for that record.
Use these combinations to help your team interpret records quickly:
- DMARC pass: SPF or DKIM passes and aligns with header_from
- DMARC fail: Neither SPF nor DKIM achieves alignment with header_from
- SPF pass but DMARC fail: SPF may pass, but the envelope_from domain does not align with header_from
- DKIM pass but DMARC fail: DKIM may pass, but the dkim_domain does not align with header_from
- High volume from an unknown source_ip: Often indicates an unauthorized sender, an overlooked system, or a misconfigured third-party service
Once your team understands these fields, reading DMARC reports becomes much more practical. The next step is to review records in priority order, starting with the sources generating the highest volume or highest failure rates.
Common Issues Found in DMARC Reports
DMARC aggregate reports often reveal problems that affect authentication, domain security, and email deliverability. These are the issues your security team is most likely to encounter and what they mean.
DMARC Issues Troubleshooting Table
| Issue | Cause | Recommended Action |
|---|---|---|
| SPF Alignment Failure | Return-Path domain doesn't match From domain | Check SPF record for missing senders, configure subdomain alignment |
| DKIM Alignment Failure | DKIM signing domain doesn't match From domain | Update DKIM configuration or adjust DMARC alignment mode |
| Unknown Source IP | Unauthorized sender or forgotten service | Investigate IP ownership, block if malicious, authorize if legitimate |
| High Failure Rate | Misconfigured authentication or attack | Audit all email services, review SPF/DKIM setup, monitor for patterns |
| Third-party Service Failures | Marketing/CRM tools not in SPF record | Add service to SPF record, configure DKIM if available |
- Failing SPF or DKIM alignment: This happens when emails pass SPF or DKIM, but the domains used don’t align with the domain recipients see in the “From” header. Misalignment causes DMARC to fail even if the underlying authentication checks succeed. In most cases, the fix is to configure your sending services so the Return-Path (SPF identity) and/or DKIM signing domain aligns with the From domain, then confirm the change through your next round of aggregate reports.
- Unauthorized sending sources: DMARC reports may show servers sending emails on your organization’s behalf without permission. These could be old systems, misconfigured third-party services, or malicious actors. Identifying and removing unauthorized senders is crucial to protecting your domain from spoofing.
- Misconfigured email services (marketing platforms, CRMs, ticketing tools, etc.): Often, legitimate services fail authentication simply because SPF or DKIM wasn’t set up correctly. Marketing tools, CRM systems, newsletter platforms, and helpdesk tools must be added to your SPF record or configured with their DKIM keys to pass DMARC consistently.
- High failure rates and what they indicate: A large percentage of failed emails in your DMARC reports signals significant issues; this could point to impersonation attempts, misalignment, or important senders that aren’t authenticated. High failure rates require immediate attention to prevent deliverability loss and potential abuse of your domain.
Maitham’s Insight
“In my experience helping hundreds of organizations, the biggest DMARC mistake is overlooking third-party senders. Make inventory reviews a monthly habit—your inbox security depends on it.”
— Maitham Al Lawati, CEO, PowerDMARC
Why PowerDMARC Outperforms Generic Solutions
Unlike other DMARC tools, PowerDMARC offers:
- PGP-Encrypted Forensic Reports: Industry-leading security for sensitive data
- AI-Driven Analytics: Automated threat detection and pattern recognition
- 24/7 Expert Support: Global coverage with real technical expertise
- SOC2 Certification: Enterprise-grade compliance and security standards
- Multi-Tenant Dashboard: Perfect for MSPs managing multiple client domains
Here's why 10,000+ customers trust PowerDMARC's platform
- Huge reduction in spoofing attempts and unauthorized emails through AI-driven threat intelligence
- Faster onboarding + automated authentication management that saves IT teams hours
- Real-time threat intelligence & PGP-encrypted reporting across domains
- Better email delivery rates due to strict DMARC enforcement with expert guidance
Your first 15 days are on us
Start Free TrialNo credit card required. Instant access.
Making DMARC Reports Actionable
Reading DMARC reports is only the first step. The real value comes from translating report insights into specific actions that improve your email security posture. Here’s how to turn data into decisions:
Updating Authentication Records
When reports show authentication failures:
- Add Missing Senders: Include new IP addresses or services in your SPF record
- Configure DKIM: Set up DKIM signing for services that support it
- Fix Alignment Issues: Adjust subdomain policies or service configurations
Adjusting DMARC Policies
Use report data to safely progress through enforcement levels:
- Monitor (p=none): Collect baseline data for 2-4 weeks
- Quarantine (p=quarantine): Move to quarantine when failure rates are below 5%
- Reject (p=reject): Implement full enforcement when confident in authentication setup
Incident Response Actions
When reports indicate potential security incidents:
- Block Malicious IPs: Add suspicious sources to your security tools’ blocklists
- Alert Stakeholders: Notify security teams and executives about domain abuse attempts
- Document Patterns: Track recurring threats for trend analysis and threat intelligence
Continuous Improvement Process
- Weekly Review: Analyze new reports for emerging issues or changes
- Monthly Audit: Review all authorized senders and remove obsolete entries
- Quarterly Assessment: Evaluate overall DMARC effectiveness and policy adjustments
DMARC Best Practices
Our experts recommend automating your DMARC report analysis. PowerDMARC was built to do exactly this, helping busy IT teams stay protected without the manual hassle. Follow these recommended practices:
Automate parsing with tools
DMARC aggregate reports arrive in XML format, which can be difficult to read manually. PowerDMARC’s platform automates parsing, converts reports into dashboards or summaries, and helps your team spot alignment failures, unauthorized senders, or patterns you might’ve missed.
Review reports weekly or monthly
Consistent review ensures your team catches new issues early. Weekly reviews work well for high-volume domains, while monthly checks are enough for smaller environments. Regular monitoring ensures all your sending sources stay authenticated and aligned as your setup evolves.
Keep track of IP sources and third-party senders
DMARC reports reveal every server that’s sending mail on your organization’s behalf, even the ones you might’ve forgotten were connected. Tracking these IPs helps your team sort out which senders are legitimate and which need to be removed, authenticated, or looked into a little more closely. This becomes especially important when your organization is using several tools at once, like marketing platforms, CRMs, or ticketing systems, all firing off emails under your domain.
Maintain alignment across all sending services
Every service your organization uses has to pass SPF or DKIM and align with your domain; otherwise, DMARC will fail even when everything else looks fine. It’s easy to overlook a platform or two (especially older integrations), so it’s worth double-checking that each one is configured with the right SPF include statements or DKIM keys. When every sender lines up correctly, the whole authentication chain becomes much more stable. This keeps failure rates low and protects your domain from abuse.
DMARC Management Checklist
- Set up PowerDMARC's automated report parsing and analysis
- Review reports weekly (high-volume) or monthly (low-volume)
- Maintain inventory of all authorized sending sources
- Monitor failure rates and investigate spikes immediately
- Ensure all services maintain proper SPF/DKIM alignment with expert guidance
- Document changes and maintain audit trail
Next Step
Understanding DMARC reports is key to protecting your organization’s email domain from spoofing and phishing attacks. By following the steps in this guide, your security team can effectively monitor email authentication and take action against threats.
Key Actions to Take Now:
- Enable DMARC reporting by setting up your DNS records with rua/ruf tags
- Use PowerDMARC’s automated tools to simplify report analysis and interpretation
- Establish a regular review schedule (weekly or monthly)
- Maintain an inventory of all authorized email sending sources
- Gradually enforce stricter DMARC policies as your authentication improves
Ready to simplify your email security? PowerDMARC’s DMARC Report Reader turns complex XML data into clear, actionable insights that help protect your domain from phishing and spoofing.
Ready to Get Started?
- Start your free trial – no credit card required
- Book a demo for your IT team
- See how MSPs like Pablo Herreros achieve 100% domain security
No credit card required. Instant access.
Frequently Asked Questions (FAQs)
1. How do DMARC reports help improve email security?
They show your security team which emails pass or fail authentication, helping you detect and stop spoofing or phishing attempts targeting your domain.
2. How often are DMARC reports generated?
On PowerDMARC’s platform, DMARC reports are generated and organized daily, weekly, or monthly, depending on your organization’s preference.
3. How do I improve my DMARC score?
Your team can improve your DMARC score by fixing authentication issues, aligning your SPF and DKIM, and gradually enforcing stricter DMARC policies with expert guidance.
4. What actions can I take based on DMARC reports?
Your security team can identify unauthorized senders, adjust your email settings, and block fraudulent emails.
5. What does it mean when I get a DMARC report?
It means a receiver is sharing details about how your organization’s emails are authenticated and if any failed checks occurred.
6. Why am I getting DMARC aggregate reports?
Your organization is receiving DMARC aggregate reports because you have a DMARC record published with an rua tag. These reports are sent by email providers to help you monitor how your domain is being used for email authentication.
7. How do I check my DMARC report?
Your team can check your DMARC reports by accessing the email address specified in your rua tag, or by using PowerDMARC’s analysis platform that automatically processes and visualizes the XML data for easier interpretation.
8. Who generates DMARC reports?
DMARC reports are generated and sent by receiving email servers and major mailbox providers like Gmail, Yahoo, Outlook, and other email services that process emails from your domain.
9. Where to send DMARC reports?
DMARC reports can be sent to the email address specified in the rua tag of your DMARC record.
Your organization has two options for this:
- A dedicated mailbox you create (e.g., [email protected]).
- PowerDMARC’s automated analysis service. This is the recommended option, as we process the complex XML reports into user-friendly dashboards.
10. Who sends DMARC reports?
DMARC reports are sent by receiving mail servers and mailbox providers.
11. What information is included and excluded in a DMARC aggregate report?
DMARC aggregate reports include authentication results, source IPs, email volumes, and policy actions. They do NOT include message content, recipient addresses, or detailed forensic information for privacy and compliance reasons.
12. How can I use DMARC report data to improve my email security?
Use DMARC report insights to identify unauthorized senders, fix authentication misconfigurations, gradually enforce stricter policies, and monitor for domain abuse attempts. Regular analysis helps maintain strong email security posture.
Cybersecurity Expert, CEO at PowerDMARC
Maitham is a tech entrepreneur, cybersecurity expert, CEO and Founder of PowerDMARC with 15+ years of industry experience. Maitham holds a Global MBA from the University of Manchester and various professional certifications including CISSP, CISM, CRISC, and ISC2 CCSP.
Latest posts by Maitham Al Lawati (see all)
- Email Phishing and DMARC Statistics: 2026 Email Security Trends - January 6, 2026
- How to Fix “No SPF record found” in 2026 - January 3, 2026
- SPF Permerror: How to Fix Too Many DNS Lookups - December 24, 2025
