When you're setting up DMARC (Domain-based Message Authentication, Reporting, and Conformance), you'll come across several tags that define your policy. One of the most important for a safe and gradual rollout is the pct or 'percentage' tag. Its purpose is to control what percentage of your emails will have your DMARC policy applied to them by receiving mail servers. This allows you to test your setup without affecting all of your mail flow at once.
The short answer is that the maximum value for the 'pct' tag in a DMARC record is 100. A value of 100 means that your DMARC policy applies to 100% of the emails sent from your domain that are checked by receivers.
Understanding the pct tag's role
The pct tag is an optional but highly recommended part of a DMARC record. Its value is an integer ranging from 0 to 100. It instructs mailbox providers on what percentage of messages failing DMARC alignment should be subjected to the policy specified in your p (policy) tag.
For example, if your DMARC record is v=DMARC1; p=quarantine; pct=10;, this tells receivers to apply the quarantine policy to only 10% of the emails that fail DMARC checks. The other 90% of failing emails will be treated as if the policy was p=none, meaning no action is taken, but you will still receive DMARC reports for them.
The default value
What happens if you don't include the pct tag in your DMARC record? In that case, the default value is 100. This means that if you publish a record like v=DMARC1; p=reject;, it is interpreted as v=DMARC1; p=reject; pct=100;. Because of this, it's very common to see fully compliant records omit the tag entirely once they reach a full enforcement policy.
Why not always use pct=100?
Jumping straight to p=reject with pct=100 can be risky. If you haven't correctly configured SPF and DKIM for all your legitimate sending services (like marketing platforms, CRMs, and support desks), you could inadvertently cause your own valid emails to be blocked. This is where a gradual rollout using the pct tag is invaluable.
The recommended approach is:
- Start at p=none. This puts DMARC in monitoring-only mode. Your record might look like v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com. At this stage, pct is irrelevant since no blocking action is taken.
- Analyse reports. Use the incoming DMARC aggregate reports to identify all your legitimate sending sources and fix any SPF or DKIM alignment issues.
- Move to p=quarantine with a low pct. Once you are confident, change your policy to p=quarantine but start with a small percentage, like pct=5 or pct=10.
- Gradually increase the percentage. As you continue to monitor reports and see no issues with legitimate mail being quarantined, you can slowly raise the pct value towards 100.
- Move to p=reject. Once you're at pct=100 with p=quarantine and everything is stable, you can repeat the gradual percentage increase process with p=reject to achieve maximum protection.
In summary, while the maximum value for pct is indeed 100, you should always approach this final state carefully. Using a staged rollout with the percentage tag is the key to a successful and disruption-free DMARC implementation that protects your domain without blocking your important emails.
