When you're first setting up DMARC, you'll almost certainly start with a record that includes the tags p=none and pct=100. It’s a common and correct starting point, but it can be confusing what these two tags mean, especially when used together. Let's break it down.
First, it helps to understand what a DMARC record is at a high level. At its core, DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a system that uses existing email authentication methods, SPF and DKIM, to help protect your domain from being used in phishing and spoofing attacks. As Mailjet correctly puts it, it’s a specific type of DNS record that outlines your policy.
Breaking down the 'p=none' tag
The p tag in a DMARC record stands for 'policy'. This is the most important tag because it tells receiving mail servers what action they should take when they get an email claiming to be from your domain that fails DMARC authentication checks.
When you set this policy to p=none, you are essentially putting DMARC in 'monitoring mode'. You're asking servers not to take any action, like quarantining or rejecting the email, even if it fails. As Fortinet explains, this policy simply asks the server to send reports without affecting mail flow.
This is a critical and safe first step. It allows you to start gathering DMARC reports, which provide valuable data about who is sending email on behalf of your domain. You can analyze these reports to identify all your legitimate sending sources (like your marketing platform, transactional email service, and helpdesk software) without any risk of your valid emails being blocked. Spambrella calls this out as the ideal way to test your setup.
Understanding the 'pct=100' tag
The pct tag stands for 'percentage'. This tag's purpose is to tell receivers what percentage of failing messages should be subjected to your stated DMARC policy. The value can be any whole number from 0 to 100.
So, pct=100 means that 100% of emails that fail DMARC should have the policy applied to them. This is where it gets a little tricky with p=none. The pct tag is designed for a gradual rollout of stricter policies like p=quarantine or p=reject. For example, you could start with p=quarantine; pct=5; to only send 5% of failing mail to spam, allowing you to monitor the impact before going to 100%.
However, when the policy is p=none, the pct tag is effectively redundant. Applying a "do nothing" policy to 100% of mail is the same as applying it to 10% or 50%. No action is still no action. As DMARC Director notes, the tag doesn't do anything in this state.
The combined meaning: a perfect starting point
So, when you publish a DMARC record of v=DMARC1; p=none; pct=100; rua=mailto:your-address@example.com;, you are sending a clear instruction to the world's mail servers. You're telling them:
- Monitor everything: Look at 100% of the emails sent using my domain.
- Don't interfere: Even if an email fails authentication, please deliver it as you normally would. Do not quarantine or reject it based on this policy.
- Report back to me: Send me aggregate reports (that's the rua tag's job) detailing all the activity so I can analyze it.
In short, a p=none policy with pct=100 is the universally recommended first step in a DMARC implementation journey. It provides complete visibility into your email ecosystem without impacting your mail deliverability, paving the way for a smooth and informed transition to a stricter enforcement policy later on.
