What is the primary purpose of the DMARC 'pct' tag?

The 'pct' tag allows you to specify what percentage of emails failing DMARC authentication should have the DMARC policy (quarantine or reject) applied. Its primary purpose is to enable a phased rollout of DMARC enforcement, letting you gradually increase protection while monitoring for false positives.

If I set 'p=quarantine' and 'pct=0', what happens to emails that fail DMARC?

If you set 'p=quarantine' and 'pct=0', emails that fail DMARC authentication will not be quarantined. They will be treated as if you had a 'p=none' policy, meaning they will typically be delivered to the recipient's inbox. The 'pct=0' effectively overrides the enforcement aspect of the 'p' tag.

Is 'pct=0' the same as 'p=none'?

Functionally, 'pct=0' combined with an enforcement policy ('p=quarantine' or 'p=reject') has the same effect as 'p=none': no enforcement action is taken on failed emails. However, 'p=none' explicitly states no enforcement, making the DMARC record clearer and less prone to misinterpretation.

When should I use the 'pct' tag?

You should use the 'pct' tag when you are ready to move beyond 'p=none' and begin enforcing DMARC, but want to do so gradually. Start with a low percentage (e.g., pct=10) and slowly increase it (e.g., pct=25, pct=50, pct=100 ) while continuously monitoring your DMARC reports to ensure legitimate emails are not affected.

Does the 'pct' tag affect DMARC reports?

The 'pct' tag does not affect the generation of DMARC aggregate or forensic reports. You will still receive reports regardless of your 'pct' setting, allowing you to monitor authentication results even when no enforcement is taking place.

Does a DMARC 'pct' value of 0 mean no enforcement? - DMARC - Email authentication - Knowledge base

Illustration of a dial set to zero, symbolizing a DMARC 'pct' value of 0.

When you're setting up DMARC for your domain, you'll encounter various tags, each with a specific role. One that often causes confusion is the pct tag, which stands for percentage. It's meant to allow a gradual rollout of your DMARC policy, but its interpretation, particularly when set to 0, can be misleading.

Many people assume that setting pct=0 means no enforcement, and they're often right, but perhaps not for the reasons they think. The pct tag is designed to specify what percentage of emails failing DMARC authentication should have the policy applied. This allows you to test the waters without impacting all your legitimate mail.

The confusion arises because while pct=0 does indeed mean that none of your failed emails will be subjected to your DMARC policy, it's not a policy setting itself. It's an enforcement modifier. So, if your policy is p=quarantine but pct=0, you are effectively telling receiving servers to ignore your quarantine instruction for all emails that fail DMARC. This is a critical distinction that can impact your email security posture.

Understanding the 'pct' tag

The pct tag modifies how aggressively your chosen DMARC policy (p=none, p=quarantine, or p=reject) is applied. For example, if you set p=quarantine and pct=10, only 10% of emails that fail DMARC checks will be quarantined. The remaining 90% will be delivered as if you had a p=none policy in place. This makes pct a useful tag for gradually increasing enforcement, allowing you to monitor your DMARC reports for any legitimate mail being impacted before moving to a higher percentage.

The maximum pct value is 100, meaning your DMARC policy will be applied to all emails that fail authentication. If you don't specify the pct tag in your DMARC record, it defaults to 100, indicating full enforcement. So, implicitly, most domains already aim for full enforcement unless they explicitly set a lower percentage during their DMARC rollout.

Understanding the pct tag

The pct tag dictates what percentage of emails that fail DMARC checks will be subjected to the policy set by the p or sp tags. It applies only to messages that fail DMARC authentication. If an email passes DMARC, the pct tag is irrelevant; it will be delivered normally regardless of your policy or percentage setting.

You can find a comprehensive list of DMARC tags and their meanings to better understand how each component contributes to your overall email security strategy.

The true meaning of 'pct=0'

The statement a DMARC 'pct' value of 0 means no enforcement is largely true. When pct is set to 0, your DMARC policy, whether p=quarantine or p=reject, will not be applied to any emails that fail DMARC. In essence, it functions identically to a p=none policy, where receiving servers are instructed to take no action on unauthenticated messages, beyond reporting them.

This can be confusing, especially for those just starting with DMARC. If you intend to have no enforcement, it is clearer and more explicit to simply set your policy to p=none. Setting p=quarantine or p=reject with pct=0 is functionally equivalent to p=none in terms of actual email handling. It just adds an unnecessary layer of potential misunderstanding to your DMARC record. The best practice is to align your p and pct values to reflect your desired enforcement level accurately.

Using p=none with pct

When your DMARC record is set to p=none, emails failing DMARC authentication will be delivered to recipients' inboxes. The pct tag has no enforcement effect, as the policy itself is none. It's mainly used for data collection and monitoring.

No impact on email delivery: All emails are delivered, regardless of authentication status.
Data collection only: You still receive DMARC reports, which are crucial for analysis.

Using p=quarantine/reject with pct=0

If your DMARC record specifies p=quarantine or p=reject but you set pct=0, the enforcement policy will effectively be ignored for all failing emails. They will be treated as if you had p=none.

No immediate enforcement: Despite a stricter policy, no emails will be quarantined or rejected.
Confusing configuration: This setup provides no practical benefit over p=none and can create ambiguity for others reviewing your DMARC record.

An article from DuoCircle on the DMARC percentage tag further elaborates on how pct=0 is essentially the same as having no policy at all, reinforcing the idea that it effectively bypasses any enforcement policy you might have set for p and sp.

Gradual DMARC implementation and the 'pct' tag

The pct tag is most valuable when you're incrementally deploying DMARC. Starting with p=none is the standard recommendation to gather data without disrupting email flow. Once you're confident in your authentication setup (SPF and DKIM), you can then move to p=quarantine with a low pct value, like pct=10. This allows you to gradually increase the enforcement level as you verify that legitimate emails are passing DMARC checks. Transitioning your DMARC policy should always be done cautiously.

Example of a DMARC record with a pct tagDNS

_dmarc.yourdomain.com IN TXT "v=DMARC1; p=quarantine; pct=25; rua=mailto:reports@yourdomain.com; ruf=mailto:forensic@yourdomain.com"

In this example, only 25% of emails that fail DMARC will be quarantined. The other 75% will be delivered, giving you an opportunity to review aggregate reports and identify any misconfigurations without a full impact on your email deliverability. This phased approach is key to successfully implementing DMARC.

Illustration showing a gradual increase in DMARC enforcement with multiple dials at different percentage settings.

Ignoring the pct tag, especially when moving to stricter policies, can lead to legitimate emails being quarantined or rejected. Always ensure your p and pct tags are configured correctly, reflecting your desired level of DMARC enforcement.

Monitoring and adjusting your DMARC policy

Effective DMARC deployment hinges on continuous monitoring of your DMARC reports. These reports provide invaluable insights into your email authentication status, helping you identify legitimate emails that might be failing DMARC checks and uncover potential spoofing attempts. Without proper monitoring, you might inadvertently block valid emails or fail to protect your domain from impersonation.

A robust DMARC monitoring tool like Suped simplifies this process. Our platform offers AI-powered recommendations, providing clear, actionable steps to fix issues and strengthen your policy. You'll receive real-time alerts, and benefit from a unified platform that brings together DMARC, SPF, and DKIM monitoring with blocklist and deliverability insights. Suped also includes SPF flattening and a multi-tenancy dashboard for MSPs, making DMARC accessible and manageable for all.

Stage	DMARC Policy Example	Impact of pct Tag
Monitoring	v=DMARC1; p=none; rua=mailto:reports@yourdomain.com	No enforcement, all emails are delivered. Collects reports to assess authentication status.
Low enforcement	v=DMARC1; p=quarantine; pct=10; rua=...	10% of failed emails are quarantined. Allows for cautious policy testing.
Moderate enforcement	v=DMARC1; p=quarantine; pct=50; rua=...	50% of failed emails are quarantined. Further increases protection with ongoing monitoring.
Full enforcement	v=DMARC1; p=reject; rua=...	100% of failed emails are rejected. Provides the highest level of protection against spoofing.

By actively monitoring and iteratively adjusting your DMARC record, you can achieve robust email security without negatively impacting your legitimate email communications. Remember, DMARC is a journey, not a destination, and continuous vigilance is crucial.

In conclusion

While a DMARC 'pct' value of 0 doesn't literally mean no enforcement in the sense of removing the policy tag itself, it effectively renders any enforcement policy (p=quarantine or p=reject) inert for emails failing DMARC checks. It's crucial to understand this distinction to avoid inadvertently leaving your domain vulnerable or mismanaging your DMARC deployment.

For clear communication and effective implementation, if your goal is to have no enforcement, explicitly set your DMARC policy to p=none and use the pct tag only when you're ready to gradually ramp up enforcement to quarantine or reject. This approach ensures clarity and allows for a controlled transition to a fully enforced DMARC policy.

Remember to leverage tools like Suped for comprehensive DMARC monitoring to gain the visibility needed to make informed decisions about your email security.