DMARC records are published in the DNS as text records and allow a domain owner to tell email receivers what to do with email that fails authentication based on the DMARC policy. As part of that record, the pct tag tells a receiving server the percentage of email messages in which the stated DMARC policy applies.
Here’s an example of a DMARC record:
In the example, the DMARC record has instructed the receiving server to reject 80% of email that fails DMARC authentication and to send a report about it to the mailto: address in the record. Here’s a description of the tags in the record:
v – This states the version 1 DMARC record. The version should always be DMARC1. An incorrect or missing DMARC version tag will cause the record to be ignored. And that’s not good because the DMARC record will be ineffective. Here are other pitfalls to avoid.
p – This tag indicates the DMARC policy. Values include p=none, p=quarantine and p=reject.
- None is used to collect feedback and gain visibility into email streams without impacting existing flows. It’s a crucial first step.
- Quarantine allows email receivers to treat email that fails the DMARC check as suspicious. Most of the time, they will end up in your SPAM folder.
- Reject does just that—it requests that email receivers reject email that fails the DMARC check.
rua – The list of URIs for receivers to send XML feedback. DMARC requires a list of URIs of the form of mailto:email@example.com
Now, more about the pct tag. Though the pct tag is optional and often shunned, it is an effective way for domain owners to gently and increasingly enact and test their DMARC policies. It provides an avenue for ensuring that legitimate email streams are flowing and that illegitimate ones are not.
By ramping up the pct tag, you can discover necessary actions and address them before establishing a 100% quarantine or reject DMARC policy. pct tag values range from 1 to 100 with 100 being the default if no pct tag is included in the DMARC record. For example, a DMARC record with p=reject; pct=50 is rejecting 50% of email; the other 50% falls back to the next lower policy in the sequence, which is quarantine in this case. With a p=reject; pct=30 record, 30% will be reject and 70% will be quarantine. The pct tag doesn’t work with p=none, the monitoring policy you use to observe all of the email on your domain.
The DMARC record below, for example, tells servers that 30% of the email messages will be quarantined to the SPAM folder:
It’s worth noting that by using the optional pct tag at less than 100%, which is the default if no pct tag is included in the DMARC record, a domain is open to potential spoofing. The ultimate goal is to reach a p=reject policy at 100%. When you reach that point, you can delete the pct tag completely since pct=100 is the default if there is no pct tag in the record. A clean, uncluttered DMARC record in its ideal policy state looks like this:
We’re here to help people understand and deploy DMARC, so get in touch with us if you have any questions. If you haven’t begun your DMARC project, we invite you to register for a free 14-day trial where you’ll get some help along the way.