diff --git a/.gitignore b/.gitignore
index e443375..b5eaed7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -108,7 +108,6 @@ ENV/
 # I/O files
 
 output/
-*.xml
 *.zip
 *.gz
 *.csv
@@ -122,4 +121,3 @@ output/
 # Data files
 *.dat
 *.mmdb
-
diff --git a/splunk/dmarc_aggregate_dashboard.xml b/splunk/dmarc_aggregate_dashboard.xml
new file mode 100644
index 0000000..7d26357
--- /dev/null
+++ b/splunk/dmarc_aggregate_dashboard.xml
@@ -0,0 +1,272 @@
+<form>
+  <label>Aggregate DMARC data</label>
+  <description>A summary of aggregate DMARC report data</description>
+  <fieldset submitButton="false" autoRun="true">
+    <input type="dropdown" token="spf_aligned" searchWhenChanged="true">
+      <label>SPF alignment</label>
+      <choice value="*">any</choice>
+      <choice value="true">true</choice>
+      <choice value="false">false</choice>
+      <default>*</default>
+    </input>
+    <input type="dropdown" token="dkim_aligned" searchWhenChanged="true">
+      <label>DKIM alignment</label>
+      <choice value="*">any</choice>
+      <choice value="true">true</choice>
+      <choice value="false">false</choice>
+      <default>*</default>
+    </input>
+    <input type="dropdown" token="passed_dmarc" searchWhenChanged="true">
+      <label>Passed DMARC</label>
+      <choice value="*">any</choice>
+      <choice value="true">true</choice>
+      <choice value="false">false</choice>
+      <default>*</default>
+    </input>
+    <input type="text" token="org_name" searchWhenChanged="true">
+      <label>Reporting organization</label>
+      <default>*</default>
+    </input>
+    <input type="text" token="source_reverse_dns" searchWhenChanged="true">
+      <label>Source reverse DNS</label>
+      <default>*</default>
+    </input>
+    <input type="text" token="header_from" searchWhenChanged="true">
+      <label>Message header from</label>
+      <default>*</default>
+    </input>
+    <input type="text" token="envelope_from" searchWhenChanged="true">
+      <label>Envelope from</label>
+      <default>*</default>
+    </input>
+    <input type="text" token="dkim_selector" searchWhenChanged="true">
+      <label>DKIM selector</label>
+      <default>*</default>
+    </input>
+    <input type="text" token="dkim_domain" searchWhenChanged="true">
+      <label>DKIM domain</label>
+      <default>*</default>
+    </input>
+    <input type="dropdown" token="disposition" searchWhenChanged="true">
+      <label>Message disposition</label>
+      <choice value="*">any</choice>
+      <choice value="none">none</choice>
+      <choice value="quarantine">quarantine</choice>
+      <choice value="reject">reject</choice>
+      <default>*</default>
+    </input>
+    <input type="text" token="source_ip_address" searchWhenChanged="true">
+      <label>Source IP address</label>
+      <default>*</default>
+    </input>
+    <input type="text" token="source_country" searchWhenChanged="true">
+      <label>Source country ISO code</label>
+      <default>*</default>
+    </input>
+    <input type="time" token="time_range" searchWhenChanged="true">
+      <label>Time range</label>
+      <default>
+        <earliest>-7d@h</earliest>
+        <latest>now</latest>
+      </default>
+    </input>
+  </fieldset>
+  <row>
+    <panel>
+      <title>SPF alignment</title>
+      <chart>
+        <search>
+          <query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=*$org_name$* source_reverse_dns=*$source_reverse_dns$* header_from=*$header_from$* envelope_from=*$envelope_from$* dkim_results{}.selector=*$dkim_selector$* dkim_results{}.domain=*$dkim_domain$* disposition=$disposition$ source_ip_address=*$source_ip_address$* source_country=$source_country$ | chart sum(message_count) by spf_aligned</query>
+          <earliest>$time_range.earliest$</earliest>
+          <latest>$time_range.latest$</latest>
+        </search>
+        <option name="charting.chart">pie</option>
+        <option name="charting.drilldown">none</option>
+      </chart>
+    </panel>
+    <panel>
+      <title>DKIM alignment</title>
+      <chart>
+        <search>
+          <query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=*$org_name$* source_reverse_dns=*$source_reverse_dns$* header_from=*$header_from$* envelope_from=*$envelope_from$* dkim_results{}.selector=*$dkim_selector$* dkim_results{}.domain=*$dkim_domain$* disposition=$disposition$ source_ip_address=*$source_ip_address$* source_country=$source_country$ | chart sum(message_count) by dkim_aligned</query>
+          <earliest>$time_range.earliest$</earliest>
+          <latest>$time_range.latest$</latest>
+        </search>
+        <option name="charting.chart">pie</option>
+        <option name="charting.drilldown">none</option>
+        <option name="height">250</option>
+      </chart>
+    </panel>
+    <panel>
+      <title>Passed DMARC</title>
+      <chart>
+        <search>
+          <query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=*$org_name$* source_reverse_dns=*$source_reverse_dns$* header_from=*$header_from$* envelope_from=*$envelope_from$* dkim_results{}.selector=*$dkim_selector$* dkim_results{}.domain=*$dkim_domain$* disposition=$disposition$ source_ip_address=*$source_ip_address$* source_country=$source_country$ | chart sum(message_count) by passed_dmarc</query>
+          <earliest>$time_range.earliest$</earliest>
+          <latest>$time_range.latest$</latest>
+        </search>
+        <option name="charting.chart">pie</option>
+        <option name="charting.drilldown">none</option>
+      </chart>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <title>Reporting organizations</title>
+      <table>
+        <search>
+          <query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=*$org_name$* source_reverse_dns=*$source_reverse_dns$* header_from=*$header_from$* envelope_from=*$envelope_from$* dkim_results{}.selector=*$dkim_selector$* dkim_results{}.domain=*$dkim_domain$* disposition=$disposition$ source_ip_address=*$source_ip_address$* source_country=$source_country$ | chart sum(message_count) by org_name | sort -sum(message_count)</query>
+          <earliest>$time_range.earliest$</earliest>
+          <latest>$time_range.latest$</latest>
+        </search>
+        <option name="drilldown">none</option>
+        <format type="number" field="sum(message_count)">
+          <option name="precision">0</option>
+        </format>
+      </table>
+    </panel>
+    <panel>
+      <title>Message sources by reverse DNS</title>
+      <table>
+        <search>
+          <query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=*$org_name$* source_reverse_dns=*$source_reverse_dns$* header_from=*$header_from$* envelope_from=*$envelope_from$* dkim_results{}.selector=*$dkim_selector$* dkim_results{}.domain=*$dkim_domain$* disposition=$disposition$ source_ip_address=*$source_ip_address$* source_country=$source_country$ | fillnull value="none" | chart sum(message_count) by source_base_domain | sort -sum(message_count)</query>
+          <earliest>$time_range.earliest$</earliest>
+          <latest>$time_range.latest$</latest>
+        </search>
+        <option name="drilldown">none</option>
+        <format type="number" field="sum(message_count)">
+          <option name="precision">0</option>
+        </format>
+      </table>
+    </panel>
+    <panel>
+      <title>Message volume by header from</title>
+      <table>
+        <search>
+          <query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=*$org_name$* source_reverse_dns=*$source_reverse_dns$* header_from=*$header_from$* envelope_from=*$envelope_from$* dkim_results{}.selector=*$dkim_selector$* dkim_results{}.domain=*$dkim_domain$* disposition=$disposition$ source_ip_address=*$source_ip_address$* source_country=$source_country$ | chart sum(message_count) by header_from  | sort -sum(message_count)</query>
+          <earliest>$time_range.earliest$</earliest>
+          <latest>$time_range.latest$</latest>
+        </search>
+        <option name="drilldown">none</option>
+        <format type="number" field="sum(message_count)">
+          <option name="precision">0</option>
+        </format>
+      </table>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <title>DMARC passage over time</title>
+      <chart>
+        <search>
+          <query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=*$org_name$* source_reverse_dns=*$source_reverse_dns$* header_from=*$header_from$* envelope_from=*$envelope_from$* dkim_results{}.selector=*$dkim_selector$* dkim_results{}.domain=*$dkim_domain$* disposition=$disposition$ source_ip_address=*$source_ip_address$* source_country=$source_country$ | chart sum(message_count) by _time,passed_dmarc</query>
+          <earliest>-7d@h</earliest>
+          <latest>now</latest>
+        </search>
+        <option name="charting.axisTitleX.text">Time</option>
+        <option name="charting.axisTitleX.visibility">visible</option>
+        <option name="charting.axisTitleY.text">Messages</option>
+        <option name="charting.axisTitleY.visibility">visible</option>
+        <option name="charting.axisTitleY2.visibility">visible</option>
+        <option name="charting.chart">line</option>
+        <option name="charting.drilldown">none</option>
+        <option name="charting.legend.placement">right</option>
+        <option name="height">280</option>
+      </chart>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <title>Message disposition over time</title>
+      <chart>
+        <search>
+          <query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=*$org_name$* source_reverse_dns=*$source_reverse_dns$* header_from=*$header_from$* envelope_from=*$envelope_from$* dkim_results{}.selector=*$dkim_selector$* dkim_results{}.domain=*$dkim_domain$* disposition=$disposition$ source_ip_address=*$source_ip_address$* source_country=$source_country$ | chart sum(message_count) by _time,disposition</query>
+          <earliest>$time_range.earliest$</earliest>
+          <latest>$time_range.latest$</latest>
+        </search>
+        <option name="charting.axisTitleX.text">Time</option>
+        <option name="charting.axisTitleY.text">Messages</option>
+        <option name="charting.chart">line</option>
+        <option name="charting.drilldown">none</option>
+      </chart>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <title>Message volume by source country</title>
+      <map>
+        <search>
+          <query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=*$org_name$* source_reverse_dns=*$source_reverse_dns$* header_from=*$header_from$* envelope_from=*$envelope_from$* dkim_results{}.selector=*$dkim_selector$* dkim_results{}.domain=*$dkim_domain$* disposition=$disposition$ source_ip_address=*$source_ip_address$* source_country=$source_country$ | iplocation source_ip_address | stats count by Country | geom geo_countries featureIdField="Country"</query>
+          <earliest>$time_range.earliest$</earliest>
+          <latest>$time_range.latest$</latest>
+        </search>
+        <option name="drilldown">none</option>
+        <option name="height">566</option>
+        <option name="mapping.type">choropleth</option>
+      </map>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <title>Source countries</title>
+      <table>
+        <search>
+          <query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=*$org_name$* source_reverse_dns=*$source_reverse_dns$* header_from=*$header_from$* envelope_from=*$envelope_from$* dkim_results{}.selector=*$dkim_selector$* dkim_results{}.domain=*$dkim_domain$* disposition=$disposition$ source_ip_address=*$source_ip_address$* source_country=$source_country$ | stats sum(message_count) by source_country | sort -sum(message_count)</query>
+          <earliest>$time_range.earliest$</earliest>
+          <latest>$time_range.latest$</latest>
+        </search>
+        <option name="count">20</option>
+        <option name="drilldown">none</option>
+        <option name="percentagesRow">false</option>
+        <format type="number" field="sum(message_count)">
+          <option name="precision">0</option>
+        </format>
+      </table>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <title>Message sources by IP address</title>
+      <table>
+        <search>
+          <query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=*$org_name$* source_reverse_dns=*$source_reverse_dns$* header_from=*$header_from$* envelope_from=*$envelope_from$* dkim_results{}.selector=*$dkim_selector$* dkim_results{}.domain=*$dkim_domain$* disposition=$disposition$ source_ip_address=*$source_ip_address$* source_country=$source_country$ | stats sum(message_count) by source_ip_address,source_reverse_dns,source_base_domain,source_country | sort -sum(message_count)</query>
+          <earliest>$time_range.earliest$</earliest>
+          <latest>$time_range.latest$</latest>
+        </search>
+        <option name="drilldown">none</option>
+        <format type="number" field="sum(message_count)">
+          <option name="precision">0</option>
+        </format>
+      </table>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <title>SPF alignment details</title>
+      <table>
+        <search>
+          <query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=*$org_name$* source_reverse_dns=*$source_reverse_dns$* header_from=*$header_from$* envelope_from=*$envelope_from$* dkim_results{}.selector=*$dkim_selector$* dkim_results{}.domain=*$dkim_domain$* disposition=$disposition$ source_ip_address=*$source_ip_address$* source_country=$source_country$ | fillnull value="none" | stats sum(message_count) by header_from,envelope_from,spf_results{}.result,spf_aligned,source_base_domain  | sort -sum(message_count)</query>
+          <earliest>$time_range.earliest$</earliest>
+          <latest>$time_range.latest$</latest>
+        </search>
+        <option name="drilldown">none</option>
+        <format type="number" field="sum(message_count)">
+          <option name="precision">0</option>
+        </format>
+      </table>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <title>DKIM alignment details</title>
+      <table>
+        <search>
+          <query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=*$org_name$* source_reverse_dns=*$source_reverse_dns$* header_from=*$header_from$* envelope_from=*$envelope_from$* dkim_results{}.selector=*$dkim_selector$* dkim_results{}.domain=*$dkim_domain$* disposition=$disposition$ source_ip_address=*$source_ip_address$* source_country=$source_country$ | fillnull value="none" | stats sum(message_count) by header_from,dkim_results{}.selector,dkim_results{}.domain,dkim_results{}.result,dkim_aligned,source_base_domain | sort -sum(message_count)</query>
+          <earliest>$time_range.earliest$</earliest>
+          <latest>$time_range.latest$</latest>
+        </search>
+        <option name="drilldown">none</option>
+      </table>
+    </panel>
+  </row>
+</form>
diff --git a/splunk/dmarc_forensic_dashboard.xml b/splunk/dmarc_forensic_dashboard.xml
new file mode 100644
index 0000000..2a73b3d
--- /dev/null
+++ b/splunk/dmarc_forensic_dashboard.xml
@@ -0,0 +1,98 @@
+<form>
+  <label>Forensic DMARC Data</label>
+  <fieldset submitButton="false" autoRun="true">
+    <input type="text" token="header_from" searchWhenChanged="true">
+      <label>Message header from</label>
+      <default>*</default>
+    </input>
+    <input type="text" token="header_to" searchWhenChanged="true">
+      <label>Message header to</label>
+      <default>*</default>
+    </input>
+    <input type="text" token="header_subject" searchWhenChanged="true">
+      <label>Message header subject</label>
+      <default>*</default>
+    </input>
+    <input type="text" token="source_ip_address" searchWhenChanged="true">
+      <label>Source IP address</label>
+      <default>*</default>
+    </input>
+    <input type="text" token="source_reverse_dns" searchWhenChanged="true">
+      <label>Source reverse DNS</label>
+      <default>*</default>
+    </input>
+    <input type="text" token="source_country" searchWhenChanged="true">
+      <label>Source country ISO code</label>
+      <default>*</default>
+    </input>
+    <input type="time" token="time_range" searchWhenChanged="true">
+      <label>Time range</label>
+      <default>
+        <earliest>-90d@d</earliest>
+        <latest>now</latest>
+      </default>
+    </input>
+  </fieldset>
+  <row>
+    <panel>
+      <title>Forensic samples</title>
+      <table>
+        <search>
+          <query>index="email" sourcetype="dmarc:forensic" parsed_sample.headers.From=*$header_from$* parsed_sample.headers.To=*$header_to$* parsed_sample.headers.Subject=*$header_subject$* source.ip_address=*$source_ip_address$* source.reverse_dns=*$source_reverse_dns$* source.country=$source_country$ | fillnull value="none" | stats count by _time,parsed_sample.headers.From,parsed_sample.headers.To,parsed_sample.headers.Reply-To,parsed_sample.headers.Subject | sort -_time</query>
+          <earliest>$time_range.earliest$</earliest>
+          <latest>$time_range.latest$</latest>
+        </search>
+        <option name="drilldown">none</option>
+        <option name="totalsRow">false</option>
+        <format type="number" field="count">
+          <option name="precision">0</option>
+        </format>
+      </table>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <title>Forensic samples by country</title>
+      <map>
+        <search>
+          <query>index="email" sourcetype="dmarc:forensic" parsed_sample.headers.From=*$header_from$* parsed_sample.headers.To=*$header_to$* parsed_sample.headers.Subject=*$header_subject$* source.ip_address=*$source_ip_address$* source.reverse_dns=*$source_reverse_dns$* source.country=$source_country$ | iplocation source.ip_address | stats count by Country | geom geo_countries featureIdField="Country"</query>
+          <earliest>$time_range.earliest$</earliest>
+          <latest>$time_range.latest$</latest>
+        </search>
+        <option name="drilldown">none</option>
+        <option name="height">519</option>
+        <option name="mapping.type">choropleth</option>
+      </map>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <title>Forensic samples by IP address</title>
+      <table>
+        <search>
+          <query>index="email" sourcetype="dmarc:forensic" sourcetype="dmarc:forensic" parsed_sample.headers.From=*$header_from$* parsed_sample.headers.To=*$header_to$* parsed_sample.headers.Subject=*$header_subject$* source.ip_address=*$source_ip_address$* source.reverse_dns=*$source_reverse_dns$* source.country=$source_country$ | fillnull value="none" | iplocation source.ip_address | stats count by source.ip_address,source.reverse_dns,Country | sort -count</query>
+          <earliest>$time_range.earliest$</earliest>
+          <latest>$time_range.latest$</latest>
+        </search>
+        <option name="drilldown">none</option>
+        <format type="number" field="count">
+          <option name="precision">0</option>
+        </format>
+      </table>
+    </panel>
+    <panel>
+      <title>Forensic samples by country ISO code</title>
+      <table>
+        <search>
+          <query>index="email" sourcetype="dmarc:forensic" parsed_sample.headers.From=*$header_from$* parsed_sample.headers.To=*$header_to$* parsed_sample.headers.Subject=*$header_subject$* source.ip_address=*$source_ip_address$* source.reverse_dns=*$source_reverse_dns$* source.country=$source_country$ | stats count by source.country | sort - count</query>
+          <earliest>$time_range.earliest$</earliest>
+          <latest>$time_range.latest$</latest>
+        </search>
+        <option name="drilldown">none</option>
+        <format type="number" field="count">
+          <option name="precision">0</option>
+        </format>
+      </table>
+    </panel>
+  </row>
+</form>