What happens if I don't include the 'pct' tag in my DMARC record?

If the 'pct' tag is omitted, the DMARC policy (p=quarantine or p=reject) defaults to applying to 100% of non-compliant emails. It behaves as if pct=100 was explicitly set.

Does the 'pct' tag affect emails when my DMARC policy is set to 'p=none'?

No, the 'pct' tag only influences enforcement actions (quarantine or reject). When your policy is 'p=none', no enforcement is taken, so the 'pct' value does not affect email delivery. However, aggregate reports are still sent.

Why would I use a 'pct' value less than 100?

Using a 'pct' value less than 100 allows for a phased deployment of DMARC enforcement. It helps you test your policy gradually, identify any legitimate sending sources that might be failing authentication, and adjust your configuration before fully enforcing the policy on all emails. This prevents accidental blocking of valid mail.

How often should I increase my 'pct' value?

The frequency of increasing your 'pct' value depends on your email volume and the complexity of your sending infrastructure. It's best to observe your DMARC reports for a few days to a week after each increase to ensure stability. Increment in small steps (e.g., 10-25%) while continuously monitoring.

Does 'pct' apply to both the domain policy ('p') and subdomain policy ('sp')?

Yes, the 'pct' tag applies to both the 'p' (domain policy) and 'sp' (subdomain policy) tags. If you specify an 'sp' tag, the 'pct' value will determine the percentage of subdomain emails that are subject to that 'sp' policy's enforcement.

What is the maximum 'pct' value in a DMARC record? - DMARC - Email authentication - Knowledge base

An envelope with a percentage sign, representing the DMARC pct tag and its impact on email.

When configuring a DMARC record, understanding each tag's role is crucial for effective email security and deliverability. One tag that often raises questions, especially for those new to DMARC, is the 'pct' tag. This tag controls the percentage of your organization's emails that are subject to your DMARC policy enforcement actions like quarantine or reject.

The 'pct' tag is a powerful tool because it allows for a gradual rollout of DMARC enforcement. Instead of immediately applying a strict policy to all your mail, you can start with a small percentage and incrementally increase it as you gain confidence in your DMARC implementation. This helps prevent legitimate emails from being incorrectly blocked or marked as spam.

Many ask about the limits of this tag, specifically, what is the maximum 'pct' value in a DMARC record? Let's delve into the details of the 'pct' tag, its range, and how it influences your DMARC policy.

What is the DMARC 'pct' tag?

The 'pct' tag, short for percentage, specifies the fraction of messages that are subject to DMARC policy enforcement. This value is expressed as an integer between 0 and 100. For example, if your DMARC policy is set to 'quarantine' and you specify pct=10, only 10% of emails failing DMARC authentication (SPF or DKIM alignment) will be quarantined. The remaining 90% would be delivered to the recipient's inbox, typically with no special handling, as if the policy was 'none'.

It's important to remember that the 'pct' tag only applies to the enforcement policies ('p=quarantine' or 'p=reject'). If your policy is set to 'p=none', the 'pct' tag has no effect on message delivery, as no enforcement action is being taken. However, it still impacts the DMARC aggregate reports, which are crucial for monitoring.

Here's an example of a DMARC record with the 'pct' tag set:

Example DMARC record with pct tagDNS

v=DMARC1; p=quarantine; pct=25; rua=mailto:reports@yourdomain.com;

Maximum 'pct' value and default behavior

The maximum 'pct' value you can specify in a DMARC record is 100. This means that 100% of emails that fail DMARC authentication for your domain will be subjected to the policy defined by your 'p' tag (either quarantine or reject).

It is also worth noting that if the 'pct' tag is not included in your DMARC record, the default behavior is to apply the DMARC policy to 100% of messages. So, explicitly setting pct=100 has the same effect as omitting the tag entirely, ensuring full enforcement of your specified DMARC policy. This approach is highlighted in resources discussing DMARC, such as this article on understanding the percentage tag.

Setting 'pct' to 100 is typically the final stage of DMARC deployment, once you have analyzed your DMARC reports and are confident that all your legitimate sending sources are properly authenticated and aligned. This level of enforcement provides the highest level of protection against email spoofing and phishing for your domain.

How 'pct' influences policy enforcement

The 'pct' tag is particularly powerful when used with enforcement policies. It allows administrators to gradually increase the severity of their DMARC policy, moving from 'p=none' to 'p=quarantine' and eventually to 'p=reject', while controlling the volume of affected mail. For instance, you could start with a 'p=quarantine' policy and a low 'pct' value, like 10%, to test the waters without causing widespread delivery issues.

Consider the scenario where your DMARC record is p=none; pct=100. This specific combination is often misunderstood, but it simply means that all email (100%) will be reported on, but no enforcement action will be taken. This is an ideal starting point for gathering data without impacting email flow, as explained in our guide What does a DMARC record that is 'p=none' and 'pct=100' mean?.

Low 'pct' value (e.g., pct=10)

Risk mitigation: Minimizes impact on legitimate email during initial DMARC deployment phases.
Data collection: Allows for continued collection of DMARC reports to identify all sending sources.
Gradual enforcement: Provides a controlled way to transition to stricter policies.

High 'pct' value (e.g., pct=100)

Maximum protection: All unauthenticated emails are subject to your DMARC enforcement policy, preventing spoofing.
Clear signal: Sends a strong signal to receiving mail servers about your domain's authenticity.
Full compliance: Achieves the full benefits of DMARC for brand reputation and security.

The special case of pct=0

While the maximum 'pct' is 100, the minimum is 0. Setting pct=0 effectively means that no enforcement action will be taken, regardless of the 'p' policy. This is similar to 'p=none' in terms of enforcement, but can still be useful for testing reporting mechanisms or temporarily disabling enforcement without changing the 'p' tag itself. For more details, see Does a DMARC 'pct' value of 0 mean no enforcement?.

A visual representation of DMARC 'pct' value increasing from a low percentage to full 100% enforcement.

Strategic deployment using the 'pct' tag

Best practices for DMARC deployment almost always recommend a phased approach, beginning with 'p=none' to gather data, then moving to 'p=quarantine' with a low 'pct' value, and gradually increasing it. This allows you to identify and correct any legitimate email streams that might fail DMARC authentication before enforcing stricter policies on all your mail.

Monitoring your DMARC reports diligently at each stage is vital. These reports provide insights into your email authentication performance, showing which sources are passing or failing SPF and DKIM, and whether DMARC alignment is successful. Tools like Suped offer comprehensive DMARC monitoring to simplify this process, giving you the insights needed to confidently adjust your 'pct' value.

As you resolve authentication issues and confirm that your legitimate emails are consistently passing DMARC, you can slowly increase your 'pct' value. Many organizations increment in steps like 10%, 25%, 50%, 75%, and finally 100%. This systematic approach minimizes the risk of inadvertently blocking important communications. We cover these steps in more detail in our article on how to safely transition your DMARC policy to quarantine or reject.

Start low: Begin with a low 'pct' value (e.g., 10% or 25%) when deploying 'p=quarantine' or 'p=reject'.
Monitor reports: Regularly review DMARC reports to ensure legitimate emails are not being affected.
Increment gradually: Increase the 'pct' value in stages, ensuring continued email deliverability at each step.
Reach 100%: Once confidence is high, set 'pct=100' to achieve full DMARC enforcement and protection.

Concluding thoughts on 'pct' and DMARC enforcement

The maximum 'pct' value in a DMARC record is 100, which signifies that your DMARC enforcement policy will apply to all emails failing authentication. This is the ultimate goal for most organizations, as it provides the highest level of defense against email impersonation and improves overall email ecosystem trust. For further details on DMARC deployment, you can consult resources like this guide on the 'pct' tag.

Achieving full DMARC enforcement with pct=100 requires careful planning, continuous monitoring, and a methodical increase of the percentage over time. By leveraging the 'pct' tag strategically, you can enhance your email security posture without disrupting critical email communications. Always monitor your DMARC reports to make informed decisions about your enforcement policy.