It's a common question I hear when people are first setting up DMARC. You're ready to move beyond p=none, but you're worried about accidentally blocking legitimate email. The pct (percentage) tag seems like the perfect safety net, allowing you to gradually roll out a stricter policy. But does using it mean you'll only get reports for that small percentage of emails?
The short answer is no. The DMARC pct tag does not affect the content of your aggregate (RUA) reports. You will continue to receive data on 100% of the emails sent using your domain, regardless of the pct value.
The percentage tag's sole purpose is to control how many emails that fail DMARC checks are actually subjected to your chosen policy (quarantine or reject). It’s a policy application tool, not a reporting filter.
Why reporting is separate from policy enforcement
To understand this, you have to think about the goal of DMARC. The entire system is built on the idea of gaining visibility before taking action. You start with p=none to collect data about all your email sources, legitimate or not, without impacting mail flow. This data comes in the form of DMARC aggregate reports.
When you decide to move to a quarantine or reject policy, the pct tag is used to ease into it. You might set a record like v=DMARC1; p=reject; pct=5; rua=mailto:dmarc@example.com.
In this scenario:
- Policy Enforcement: Only 5% of emails that fail DMARC will actually be rejected by the receiving server. The other 95% of failing emails will be delivered as if your policy was p=none.
- Reporting: You will receive aggregate reports that include data on 100% of the emails, showing which ones passed, which ones failed, and for the failures, whether they fell into the 5% that were rejected or the 95% that were not.
This functionality is crucial. The whole point of a staged rollout is to monitor the reports to ensure you aren't blocking legitimate mail. As Sendmarc puts it, you should "monitor reports to ensure legitimate emails aren't being affected." If your reports were limited by the pct tag, you would have a massive blind spot, defeating the purpose of the careful rollout.
How to properly use the pct tag
The pct tag is your best friend for moving from monitoring to enforcement without breaking your email deliverability. The process is straightforward and relies on the comprehensive data you get from your full aggregate reports.
- Start Small: Begin with a low percentage, such as p=quarantine; pct=10;. This is a commonly recommended starting point.
- Monitor Reports: Closely watch your aggregate reports. Look for any legitimate sending sources that are failing DMARC checks. These are the services you need to configure correctly with SPF and/or DKIM.
- Fix and Adjust: As you identify legitimate senders that are failing, fix their authentication issues.
- Increase Gradually: Once you are confident that only illegitimate mail is failing, increase the percentage. Move from 10% to 25%, then 50%, and finally to 100%. This gradual increase minimizes risk.
- Reach Full Enforcement: Once you reach pct=100, your DMARC policy is fully deployed. At this point, you can even remove the pct tag, as 100 is the default value.
Final thoughts
The DMARC pct tag is a mechanism for policy enforcement, not reporting. It allows you to safely and methodically implement a strong DMARC policy while still giving you the 100% visibility you need through aggregate reports to make informed decisions. You can, and should, use it with confidence, knowing you won't lose critical data during your transition to a more secure email posture.
