The DMARC pct tag is a vital component of a DMARC record that specifies the proportion of emails from a domain that should be subject to DMARC enforcement. It determines how aggressively the DMARC policy should be applied.
In this blog, we’ll dive into what the DMARC pct tag is, why it’s essential, and how to apply it to balance email security with deliverability.
What Is the DMARC Pct Tag?
The DMARC pct tag, short for “percentage,” allows domain owners to gradually apply DMARC policies rather than immediately enforcing them on all emails. It has a value between 0 and 100, representing the percentage of emails that should be processed according to the DMARC policy.
For example, setting pct=50 in a DMARC record means that 50% of emails failing DMARC alignment will be subject to your DMARC policy (quarantine or reject). The remaining 50% will bypass enforcement and be delivered as normal.
v=DMARC1; p=reject; pct=50; rua=mailto:[email protected];
Why Is It Important?
The DMARC pct tag is crucial for gradually implementing and enforcing your DMARC policy, particularly when moving from p=none (monitoring mode) to p=reject (the strictest policy). When you first set up DMARC, you should start with a low pct value like 0 or 10, then gradually increase it over time as you monitor and analyze your Aggregate Reports. By reviewing these reports, you can identify potential security threats, such as phishing attacks or email spoofing, and take appropriate action. Additionally, the pct tag helps you track the effectiveness of your DMARC policy over time so you can make adjustments.
The pct tag has several important functions in DMARC implementation:
- Controlled DMARC Policy Rollout: It enables a phased approach to DMARC enforcement, allowing sufficient time for monitoring, testing, and fine-tuning.
- Delivery Protection: Slowly increasing the pct tag allows you to roll out your DMARC policy gradually and mitigate the potential negative impact on legitimate email flows.
- Phased Testing: The pct tag provides a safe way to test DMARC enforcement for different use cases, catching alignment issues before full implementation.
Using the Pct Tag for DMARC Policy Progression
Implementing DMARC with the pct tag involves a strategic, phased approach:
- Start with Monitoring: Begin with a “p=none” policy to gather data without affecting email delivery. Analyze your DMARC Reports to identify any issues, such as misaligned domains, incorrect SPF or DKIM configurations, or unauthorized senders.
- Partial Enforcement: As you gain confidence in your DMARC setup, introduce a stricter policy of p=quarantine with a low pct value, such as 5 or 10. This is the percentage of your emails failing DMARC that will be sent to spam folders.
- Incremental Increase: Gradually increase the pct value over time, monitoring your DMARC reports and resolving any issues.
- Full Enforcement: Once confident in your DMARC configuration, set p=reject with pct=100 to protect your domain completely, rejecting any emails that fail SPF or DKIM alignment.
Here’s an example of a DMARC policy progression:
Week 1: v=DMARC1; p=none; rua=mailto:[email protected];
Week 4: v=DMARC1; p=quarantine; pct=10; rua=mailto:[email protected];
Week 8: v=DMARC1; p=quarantine; pct=50; rua=mailto:[email protected];
Week 12: v=DMARC1; p=reject; pct=100; rua=mailto:[email protected];
Note: Not having any pct= tag applied in your DMARC Record will make it pct=100
The exact timeline for this progression will depend on factors like the complexity of your email infrastructure and the number of third-party senders you need to work with. The key is to move forward gradually, monitor the impact, and make adjustments as needed.
Can I Leave Out the Pct?
If you don’t specify a pct tag in your DMARC record, the default behavior is pct=100. This means that 100% of emails that fail DMARC checks will be subject to your specified policy (quarantine or reject). While this is fine for established, well-tested policies, it will pose risks during initial implementations of DMARC policies or when fine-tuning policies.
While this may seem like the most secure option, it can lead to significant disruptions if your email authentication setup is not properly configured. Suddenly enforcing DMARC on all your email traffic can cause legitimate emails to be blocked or quarantined, leading to delivery issues, unhappy customers, and other operational problems. In addition, all authentication failures are reported, which likely means a significant increase in DMARC reports, potentially overwhelming your email infrastructure and IT team. EasyDMARC recommends always including the pct tag and starting with a lower value to ensure smooth DMARC implementation and gradual policy enforcement.
Conclusion
The DMARC pct tag is a powerful tool for implementing and fine-tuning email authentication policies, helping domain owners balance security and deliverability. By understanding and strategically applying the pct tag, you can ensure smooth progression to a strict DMARC policy without risking legitimate email flows. Adopting a phased approach with pct enables careful monitoring and troubleshooting, protecting your domain from spoofing and phishing threats.
Our EasyDMARC engineers can help you on your DMARC journey from p=none to p=reject. Get in touch today.
We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.
You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us