Does the DMARC 'pct' tag affect aggregate reports?
Michael Ko
Co-founder & CEO, Suped
Published 25 May 2025
Updated 19 Sep 2025
6 min read
The DMARC (Domain-based Message Authentication, Reporting, and Conformance) standard is a critical email authentication protocol that helps protect domain owners from email spoofing and phishing attacks. It builds upon existing technologies like SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to provide a comprehensive framework for email security.
When implementing DMARC, you define policies in a DNS TXT record, telling receiving mail servers what to do with emails that fail DMARC checks. One of the tags often discussed is the 'pct' tag, which stands for 'percentage'. This tag allows you to specify a percentage of emails that should be subjected to the DMARC policy defined by the 'p' (policy) or 'sp' (subdomain policy) tags.
A common question that arises during DMARC deployment is whether the 'pct' tag also affects the DMARC aggregate reports you receive. These reports are crucial for gaining visibility into your email ecosystem and are a cornerstone of effective DMARC management. Let's delve into how the 'pct' tag interacts with your DMARC reporting.
Understanding the DMARC 'pct' tag
The 'pct' tag in a DMARC record serves a very specific purpose: it controls the percentage of *unauthenticated* emails that should be subjected to the defined DMARC policy (p=quarantine or p=reject). For example, if your DMARC record specifies p=quarantine and pct=20, only 20% of emails that fail DMARC authentication will be quarantined, while the remaining 80% will still be delivered to the inbox. This gradual enforcement mechanism is particularly useful during the initial deployment of DMARC, allowing domain owners to test their configuration without immediately impacting all their email traffic.
The key thing to understand is that the 'pct' tag directly impacts the *action* taken by receiving mail servers for emails that fail DMARC. It's a throttling mechanism for the enforcement policy, not a filter for the reporting mechanism. This distinction is crucial for understanding how your DMARC setup functions in practice.
The role of aggregate reports (RUA)
DMARC aggregate reports, specified by the 'rua' tag, provide a holistic view of your domain's email traffic. These reports are XML documents sent by participating mail receivers (like Google and Yahoo) to the email address(es) you designate in your DMARC record. They contain valuable data on all emails originating from your domain, regardless of their authentication status or whether they passed DMARC. This includes information about senders, IP addresses, SPF and DKIM authentication results, and DMARC alignment status.
The primary goal of aggregate reports is to give domain owners a complete picture of their email landscape. This comprehensive data is essential for identifying legitimate sending sources that may not yet be correctly authenticated with SPF and DKIM. It also helps in detecting malicious activity, such as spoofing attempts, by showing you traffic that fails DMARC authentication and alignment.
Without aggregate reports, moving to an enforcement policy (quarantine or reject) would be like flying blind. They provide the necessary intelligence to understand and troubleshoot DMARC reports, ensuring that legitimate emails are not inadvertently blocked as you strengthen your DMARC policy.
The 'pct' tag and aggregate reports: No direct impact
To answer the central question: No, the DMARC 'pct' tag does not affect aggregate reports. Aggregate reports are designed to give you a full overview of all email traffic associated with your domain, regardless of whether a percentage of failed emails were subjected to a quarantine or reject policy. Every email sent from your domain, whether it passes DMARC, fails DMARC, or is only partially impacted by the 'pct' tag, will be included in the aggregate reports.
How 'pct' affects email enforcement
Policy action: Determines the percentage of unauthenticated emails that will be quarantined or rejected.
Gradual rollout: Allows domain owners to slowly ramp up enforcement, minimizing immediate impact.
Risk mitigation: Reduces the chance of legitimate emails being blocked due to configuration errors during DMARC setup.
How 'pct' affects aggregate reports
Full visibility: All email streams are included, regardless of their DMARC authentication status.
Comprehensive data: Reports show SPF, DKIM, and DMARC results for every message.
Monitoring tool: Essential for monitoring and identifying all legitimate and illegitimate sending sources.
The information contained within aggregate reports includes the full range of mail flows, authenticated or not. This means you will still see data about emails that failed DMARC, even if they were not subject to your 'p=quarantine' or 'p=reject' policy due to the 'pct' setting. The reports are about observation and data collection, while the 'pct' tag is about enforcement.
Therefore, even if you set pct=10, you will still receive aggregate data for 100% of your email volume, which is crucial for gaining full visibility into your sending practices and identifying potential issues.
Why aggregate reports remain vital during DMARC deployment
Aggregate reports are the backbone of any successful DMARC implementation. They are especially critical during the initial phases of DMARC adoption and throughout the ongoing maintenance of your email security posture. By providing a clear, unfiltered view of your email traffic, these reports enable you to make informed decisions about your DMARC policy.
Benefit
Description
Full visibility
Get data on all email streams, authenticated or not, providing a complete email ecosystem overview.
Sender identification
Identify all legitimate senders for your domain, including third-party services like Salesforce, to ensure they are properly configured.
Threat detection
Spot unauthorized sending sources and potential spoofing attempts by analyzing failed DMARC traffic.
Even with a 'pct' tag in place to temper the enforcement, aggregate reports continue to provide 100% of the data. This allows you to identify all your valid email sources and ensure they are properly authenticated before increasing the 'pct' value or moving to a stricter policy. The value of detailed and timely DMARC reporting cannot be overstated in maintaining robust email security.
The complementary roles of 'pct' and aggregate reports
The 'pct' tag in your DMARC record is a powerful tool for controlling the enforcement percentage of your DMARC policy. It allows for a staged rollout, gradually increasing the number of emails subjected to quarantine or reject actions, and reducing the risk of unintended disruptions to your legitimate email flow.
Crucially, the 'pct' tag does not, however, affect the DMARC aggregate reports you receive. These reports continue to provide a complete, unfiltered view of all email traffic for your domain. This ensures that you have all the necessary data to accurately assess your email ecosystem, identify legitimate and fraudulent senders, and make informed decisions about your DMARC policy progression.
For effective DMARC management and to interpret these reports efficiently, leveraging a robust DMARC monitoring tool is essential. Suped provides comprehensive DMARC monitoring, offering AI-powered recommendations, real-time alerts, and a unified platform for all your email security needs. This helps simplify the complex data from aggregate reports and guides you towards achieving full DMARC enforcement with confidence.
Google and 
Yahoo) to the email address(es) you designate in your DMARC record. They contain valuable data on all emails originating from your domain, regardless of their authentication status or whether they passed DMARC. This includes information about senders, IP addresses, SPF and DKIM authentication results, and DMARC alignment status.
Salesforce, to ensure they are properly configured.
