Docs / Multi-domain search

Multi-domain search

Search DMARC records across all your domains at once, filter by sender, status, and date range, then export results to CSV.

What it does

The multi-domain search tool lets you query DMARC aggregate reports from all your domains in a single place. Instead of looking at one domain's dashboard at a time, you can:

  • Find mail from a specific sender or ESP across all your domains
  • Filter by SPF or DKIM result (pass, fail, softfail, neutral)
  • Narrow by date range (last 7 days, 30 days, custom range)
  • Export matching records to CSV for analysis or audit

This is especially useful for organizations managing many domains or MSPs managing customer accounts — you get a bird's-eye view of authentication failures without jumping between dashboards.

From the sidebar in the UglyDMARC app, select Search (in the "Using UglyDMARC" section). You'll see a search interface with filters on the left and results on the right.

Building a filter

Use the filter panel to narrow results. You can combine multiple filters:

  1. Domain

    Select one or more domains to search. Leave blank to search all your domains at once.

  2. Sender / sending source

    Enter an IP address, hostname, or ESP name (e.g., 192.0.2.50 or sendgrid.net). The search matches both the source IP and reverse-DNS hostname.

  3. SPF result

    Filter by SPF alignment result: pass, fail, softfail, neutral, none. Select one or more.

  4. DKIM result

    Filter by DKIM alignment result: pass, fail, none. Select one or more.

  5. Date range

    Choose a preset (last 7 days, 30 days, 90 days) or pick custom start and end dates. Reports are aggregated over 24-hour windows.

Tip

To find all mail sources that are not aligned, filter for SPF fail + DKIM fail on the current date range. This helps you identify unauthorized senders or misconfigured vendors.

Reading results

Search results appear in a table with these columns:

  • Domain — the recipient domain
  • Sender IP — the sending mail server's IP address
  • Hostname — reverse-DNS hostname (if available)
  • ESP / Source — identified vendor (Google, Microsoft 365, SendGrid, etc.) or "Unknown"
  • SPF — alignment result (pass, fail, softfail, neutral)
  • DKIM — alignment result (pass, fail)
  • Messages — count of messages from this source in the date range
  • Last seen — most recent report date for this source on this domain

Click a row to drill into that sender's timeline on the domain dashboard, or click the domain name to open the full domain report.

Practical examples

Find all failing mail from a given ESP in the last 30 days

  1. Set the date range

    Select "Last 30 days".

  2. Search for the ESP

    Enter the ESP name (e.g., mailgun) or a known sender IP range.

  3. Filter to failures

    Check SPF fail or DKIM fail (or both).

  4. Review and export

    Scan the results for misconfigured sending IPs, then click Export CSV to share with your team or the ESP vendor.

Identify unauthorized mail on all domains

  1. Leave Domain blank

    Search across all your domains.

  2. Filter to non-aligned senders

    Select SPF fail AND DKIM fail.

  3. Review sources

    Results show mail claiming your identity but failing both authentication checks. These are high-risk sources (phishing, misconfiguration, or spoofing attempts).

  4. Take action

    Cross-reference against known legitimate vendors. Contact your ESP to correct SPF/DKIM setup, or tighten your DMARC policy (move toward p=reject).

Track a domain migration (change of email provider)

  1. Search the domain

    Pick the domain in question.

  2. Set a wide date range

    Use "Last 90 days" to capture pre- and post-migration traffic.

  3. Look for source transitions

    Old ESP IPs should drop off; new ESP IPs should appear with "Last seen" dates after the migration. Any "Last seen" dates before the migration = unexpected senders.

Exporting to CSV

After building your filter, click Export CSV at the top right of the results table. The download includes all matching records from your current filter, with the same columns as the displayed table. CSV exports are helpful for:

  • Sharing findings with your security or email team
  • Auditing historical sender changes
  • Bulk vendor notifications (attach CSV to an issue with your ESP)
  • Integration with your ticketing or SIEM system

Warning

CSV exports can contain sender IP addresses. Handle exports as sensitive data — do not leave them on unattended devices or post them in public channels.

Limits and performance

Search is powered by your DMARC report history. For optimal performance:

  • Searches across 90+ days with many domains may take a few seconds to return results
  • Report retention depends on your plan (typically 30, 90, or 365 days) — older records are not searchable
  • Maximum of 10,000 results per export; if your filter matches more, narrow the date range or domain selection

Tip

For recurring searches (e.g., "check for failures from this ESP every week"), consider the API: the /reports/search endpoint lets you automate this and trigger alerts.