Summary
When DMARC's 'p' (policy) and 'sp' (subdomain policy) are set to 'none', the 'pct' (percentage) tag defines the portion of email messages analyzed for DMARC reporting, enabling a phased approach to DMARC implementation. While some suggest 'pct' might have limited effect in this scenario, the consensus across experts and documentation is that 'pct' allows domain owners to monitor DMARC performance and identify authentication problems without immediately impacting email deliverability. It acts as a tool to assess the impact of stricter policies (quarantine or reject) on a subset of emails, facilitating a gradual rollout strategy and informed adjustments before full enforcement. While primarily for reporting, some interpretations suggest 'pct' designates the percentage of messages failing DMARC for policy application once stricter policies are enabled. Using 'pct=100' ensures reports on all mail flow. Starting with p=none and incrementally adjusting pct supports cautious deployment, minimizing disruptions.
Key findings
- Monitoring, Not Enforcement: The 'pct' tag primarily serves to generate DMARC reports (RUA) when 'p=none', not to enforce a specific policy.
- Phased Implementation Support: The 'pct' is crucial for a phased DMARC implementation approach, allowing gradual policy enforcement.
- Risk Mitigation: The 'pct' provides insights and mitigation of risk before enforcing DMARC, allowing domain owners to ensure deliverability and avoid sending legitimate email to spam.
- Full Visibility Option: A 'pct=100' setting ensures reports (RUA) for complete email traffic monitoring are received, enhancing awareness.
- Policy Dial: 'pct' controls how many messages are impacted by stricter policies in a gradual deployment.
Key considerations
- Start with p=none: Start your initial DMARC setup with 'p=none' to prevent unintended deliverability problems.
- Monitor Regularly: Routinely monitor DMARC reports generated by the 'pct' setting and reporting to pinpoint authentication discrepancies or potential failures.
- Accurate Percentage Choice: Select a representative 'pct' and reporting value that is relative to the mail flow and is large enough to show problems.
- Test and Adjust: Prior to deploying stricter policies, test and calibrate SPF, DKIM and DMARC configurations based on insights drawn from reports.
- Compliance: Comply with RFC7489 specifications and guidelines to ensure appropriate 'pct' implementation (0-100 range).
What email marketers say
9 marketer opinions
When DMARC's 'p' (policy) and 'sp' (subdomain policy) tags are set to 'none,' the 'pct' (percentage) tag specifies the portion of emails to be analyzed for DMARC reporting. While 'p=none' doesn't enforce any action (quarantine or reject), 'pct' enables monitoring the potential impact of stricter policies on a subset of emails. This dry-run approach helps identify authentication issues and fine-tune configurations before full DMARC enforcement, minimizing the risk of false positives and deliverability problems. It's also noted that the precise application of 'pct' can be ambiguous, with differing interpretations on whether it applies to a percentage of messages that fail DMARC or all messages.
Key opinions
- Monitoring without Enforcement: The 'pct' tag allows you to monitor DMARC results through reports (RUA) without impacting email deliverability when 'p=none'.
- Dry-Run for Stricter Policies: Using 'pct' helps evaluate the potential impact of quarantine or reject policies on a smaller subset of emails before full implementation.
- Gradual Rollout: 'pct' enables a gradual rollout of DMARC policies, allowing for adjustments before enforcing stricter policies.
- Identify Authentication Issues: 'pct' setting allows you to identify and fix any authentication problems before enforcing a stricter policy.
- Ambiguity in Interpretation: There is some ambiguity in the interpretation of how 'pct' applies, specifically whether it applies to messages failing DMARC or all messages.
Key considerations
- Report Analysis: Regularly analyze DMARC reports (RUA) to understand authentication failures and potential impacts on legitimate email.
- Percentage Selection: Choose a 'pct' value that provides a representative sample of your email traffic for accurate monitoring.
- Policy Adjustment: Based on the DMARC reports, adjust your email authentication setup (SPF, DKIM) before moving to stricter DMARC policies (quarantine or reject).
- Full Visibility: Setting pct=100 ensures reports on all of your mail flow to help with monitoring.
Marketer view
Email marketer from EmailSecurityBlog.com shares that pct can be useful with p=none because it still allows you to receive aggregate reports (RUA) on a percentage of your mail flow, giving you visibility into potential DMARC failures without impacting deliverability.
24 May 2024 - EmailSecurityBlog.com
Marketer view
Email marketer from StackOverflow answers that using pct with p=none allows you to test your DMARC setup without risking deliverability issues. By analyzing DMARC reports for a sample of your email traffic, you can identify and fix any authentication problems before enforcing a stricter policy.
26 Feb 2023 - StackOverflow
What the experts say
6 expert opinions
When DMARC policies (p and sp) are set to 'none', the 'pct' tag's primary function is to enable reporting on a percentage of email traffic, even though no enforcement actions are taken. While one expert suggests 'pct' might have negligible effects except in edge cases, the consensus is that 'pct' allows domain owners to monitor DMARC performance and identify authentication issues without impacting deliverability. It acts as a dial for trust in the setup, guiding a phased deployment: starting with 'p=none', gradually increasing 'pct' with stricter policies like quarantine and reject. The 'pct' dictates the percentage of messages analyzed for reports (RUA), with a 'pct=100' setting ensuring full visibility. When 'p=reject' and 'pct=50', failing messages are split between reject and quarantine.
Key opinions
- Reporting, Not Enforcement: With 'p=none', the 'pct' tag primarily functions for generating DMARC reports (RUA), not enforcing policies.
- Phased Deployment: The 'pct' tag is instrumental in a phased DMARC deployment: 'p=none', gradual increase with stricter policies (quarantine, reject).
- Visibility Dial: The 'pct' serves as a dial to control visibility and trust in the DMARC setup.
- Full Traffic Monitoring: A 'pct=100' setting ensures reports (RUA) on all email traffic are received.
- Policy Mix: When 'p=reject', 'pct' determines how failing messages are handled (e.g., 'pct=50' splits between reject and quarantine).
Key considerations
- Early Deployment Strategy: Start with 'p=none' to avoid deliverability issues during initial DMARC setup.
- Report Analysis is Key: Regularly monitor DMARC reports (RUA) generated through the 'pct' setting to identify authentication failures.
- Percentage Selection Importance: Select 'pct' to align with traffic volume and reporting needs.
- Policy Adjustments after Reporting: Adjust authentication settings (SPF, DKIM) based on findings from reports before escalating to stricter policies.
- Gradual Increase: Gradually increase the pct while enforcing a reject or quarantine policy so that you can fix deliverability problems on a smaller set of email before increasing the pct.
Expert view
Expert from Email Geeks states that with p and sp set to none, pct will not have any effect, except possibly in some rare edge cases with specific mailing list managers.
1 Nov 2023 - Email Geeks
Expert view
Expert from Email Geeks shares early DMARC deployment advice: start with p=none, switch to quarantine at pct=1, gradually increase to 100, and then repeat with reject.
30 Oct 2023 - Email Geeks
What the documentation says
3 technical articles
Official documentation from DMARC.org, RFC7489, and Google Workspace Admin Help consistently describes the 'pct' tag in DMARC as the percentage of messages from the domain owner's mail stream to which the DMARC policy should be applied. When the policy ('p') is set to 'none', the 'pct' tag facilitates a phased adoption of DMARC, allowing administrators to gradually increase the scope of DMARC reporting. This process enables monitoring the impact of stricter policies before full implementation. The specified percentage value must be between 0 and 100 (inclusive).
Key findings
- Percentage of Mail Stream: The 'pct' tag defines the percentage of messages to which the DMARC policy is applied.
- Phased Adoption: The 'pct' tag is key for a phased DMARC adoption strategy.
- Monitoring Before Enforcement: With 'p=none', 'pct' allows monitoring the impact of stricter policies without active enforcement.
- Value Range: The 'pct' value must be between 0 and 100, inclusive.
Key considerations
- Gradual Increase: Gradually increase the 'pct' value to monitor the impact of DMARC policies on a larger portion of your mail stream.
- Policy Impact Monitoring: Carefully monitor DMARC reports to assess the impact of potential 'quarantine' or 'reject' policies before full implementation.
- RFC Compliance: Ensure that the 'pct' value complies with the RFC7489 specification.
- Integration with Reporting: Ensure that the 'pct' tag setting is integrated with your DMARC reporting mechanisms.
Technical article
Documentation from RFC7489 defines the 'pct' tag as the percentage of messages from the Domain Owner's mail stream to which the DMARC policy is to be applied. The documentation specifies that the value MUST be between 0 and 100 (inclusive).
31 Dec 2022 - RFC Editor
Technical article
Documentation from DMARC.org explains that the 'pct' tag specifies the percentage of messages to which the DMARC policy is applied. When 'p=none', it suggests receivers monitor the impact of a stricter policy before full implementation, gradually increasing the percentage to enforce the policy on more of the mail stream.
26 Jan 2024 - DMARC.org
How can DMARC reports be enriched with user-level data for better domain enforcement?
How do DMARC policies and RUA/RUF settings inherit or override each other between a domain and its subdomains?
How do I properly set up DMARC records and reporting for email authentication?
What are the DMARC requirements for BIMI and how does pct affect the policies?
What DMARC settings should I use and what are the implications of using p=reject?
What should I do if my email domain gets spoofed?
